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Abstract. In a process algebra with hiding and recursion it is possible to create processes 

which compute internally without ever communicating with their environment. Such pro- 

t/3 cesses are said to diverge or livelock. In this paper we show how it is possible to con- 

I ^1 servatively classify processes as livelock-free through a static analysis of their syntax. In 

particular, we present a collection of rules, based on the inductive structure of terms, which 

7—^ guarantee livelock-freedom of the denoted process. This gives rise to an algorithm which 

^ conservatively flags processes that can potentially livelock. We illustrate our approach by 

^^ applying both BDD-based and SAT-based implementations of our algorithm to a range of 

CTN benchmarks, and show that our technique in general substantially outperforms the model 

^^ checker FDR whilst exhibiting a low rate of inconclusive results. 

o 
en 



1. Introduction 

^ It is standard in process algebra to distinguish between the visible and invisible (or silent) 

actions of a process. The latter correspond to state changes arising from internal computa- 
tions such as resolving of nondeterminism, unfolding of a recursion, abstraction of details. 
Their occurrence is silent and is not detectable or controllable by the environment. A pro- 
cess is said to diverge or livelock if it reaches a state from which it may forever compute 
internally through an infinite sequence of invisible actions. This is usually a highly unde- 
sirable feature of the process, described in the literature as "even worse than deadlock, in 
that like an endless loop it may consume unbounded computing resources without achiev- 
ing anything" |10t page 156]. Livelock invalidates certain analysis methodologies, e.g., it 
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signifies lack of progress, and is often symptomatic of a bug in the modelling. However 
the possibility of writing down divergent processes arises from the presence of two crucial 
constructs, recursion and hiding. The latter converts visible actions into invisible ones and 
is a key device for abstraction. 

We distinguish two ways in which a process may livelock. In the first, a process may be 
able to communicate an infinite unbroken sequence of some visible event, and this process 
then occurs inside the scope of an operator which hides that event. Alternatively, a process 
may livelock owing to the presence of an unguarded recursion. Roughly speaking, the latter 
means that the process may recurse without first communicating a visible action. 

This paper is concerned with the problem of determining whether a process may livelock 
in the context of the process algebra CSP, although the principles upon which our analysis is 
based should be transferable to other process algebras as well. While it is straightforward to 
show that the problem is in general undecidablqj we are still able to provide a conservative 
(i.e., sound but incomplete) method of checking for the possibility of livelock: this method 
either correctly asserts that a given process is livelock- free, or is inconclusive. The algorithm 
is based on a static analysi^of the given process, principally in terms of the interaction of 
hiding, renaming, and recursion. This analysis naturally divides into two parts according 
to the two sources of livelock outlined above. 

The basic intuitions underlying our approach are fairly straightforward. In part they 
mirror the guardedness requirements which ensure that well-behaved CSP process equations 
have unique, livelock- free fixed points |2H Chap. 8]. However, we extend the treatment 
of [21j by allowing guarded recursions to include instances of the hiding operator. Inciden- 
tally, Milner's notion of guarded recursions in CCS is similarly restricted by the requirement 
that variables not occur inside parallel compositions jlSj . Complications arise mainly be- 
cause we want to be able to fully incorporate hiding and renaming in our treatment, both 
of which can have subtle indirect effects on guardedness. 

We note that the idea of guarded recursions is standard in process algebra. For instance, 
in Milner's framework, a variable is 'strongly guarded' in a given term if every free occurrence 
of the variable in the term occurs within the scope of a prefixing operator [15] . This notion 
is introduced in order to justify certain proof principles, such as that guaranteeing the 
uniqueness of fixed points up to bisimilarity. Strong guardedness has also been extended 
to a calculus with hiding and action refinement [3] . A key difference between our approach 
and these notions is that we seek to guarantee livelock-freedom, rather than merely the 
existence of unique fixed points. 

In fact, there are few papers which deal with the problem of guaranteeing livelock- 
freedom in the setting of concurrent process calculijj The existing work on livelock-freedom 
has mostly been carried out in the context of mobile calculi. [23] presents an approach 
for guaranteeing livelock-freedom for a certain fragment of the vr-calculus. Unlike the com- 
binatorial treatment presented here, this approach makes use of the rich theory of types 
of the vr-calculus, and in particular the technique of logical relations. Another study of 
divergence-freedom in the vr-calculus appears in [30], and uses the notions of graph types. 

'^For example, CSP can encode counters, and is therefore Turing-powerful. 

^Here static analysis is used to distinguish our approach from the state-space exploration methods that 
underlie model checking or refinement checking. 

^In contrast, there are numerous works treating termination for the A-calculus or combinatory logic (8) 
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Note that CSP is predicated upon synchronous communication. In terms of livelock 
analysis, different issues (and additional difficulties) arise in an asynchronous context (as- 
suming unbounded communication buffers); see, e.g., [T3l fH], 

Of course, one way to check a process for divergence is to search for reachable cycles 
of silent actions in its state space, which is a labelled transition system built from the 
operational semantics. Assuming this graph is finite, this can be achieved by calculating 
its strongly connected components, using, e.g., Tarjan's algorithm [5]. The latter can be 
carried out in time linear in the size of the graph, which may however be exponential 
(or worse) in the syntactic size of the term describing the process. By circumventing the 
state-space exploration, we obtain a static analysis algorithm which in practice tends to 



substantially outperform state-of-the-art model-checking tools such as FDR — see Section 7 
for experimental comparisons. 

Naturally, there is a trade-off between the speed and accuracy of livelock checking. It 
is not hard to write down processes which are livelock-free but which our analysis indicates 
as potentially divergent. However, when modelling systems in practice, it makes sense 
to try to check for livelock-freedom using a simple and highly economical static analysis 
before invoking computationally expensive state-space exploration algorithms. Indeed, as 
Roscoe [m page 208] points out, the calculations required to determine if a process diverges 
are significantly more costly than those for deciding other aspects of refinement, and it is 
advantageous to avoid these calculations if at all possible. 

Recent works in which CSP livelock-freedom plays a key role include [6] as well as |25| 
124] : see also references within. 

2. CSP: Syntax and Conventions 

Let S be a finite set of events, with / ^ S. We write S to denote S U {/} and S* 
to denote the set of finite sequences of elements from E which may end with /. In the 
notation below, we have a G T, and A CY,. R denotes a binary (renaming) relation on S; 
its lifting to S is understood to relate / to itself. The variable X is drawn from a fixed 
infinite set of process variables. 

CSP terms are constructed according to the following grammar: 

P ::= STOP \ a — > P \ SKIP \ Pi H P2 \ Pi □ P2 I Pi II P2 \ 

P15P2 I P\A I P[R] \ X \ fiX .P \ DIV . 

STOP is the deadlocked process. The prefixed process a — > P initially offers to engage 
in the event a, and subsequently behaves like P. SKIP represents successful termination, 
and is willing to communicate / at any time. P O Q denotes the external choice of P and 
Q, whereas P n Q denotes the internal (or nondeterministic) alternative. The distinction 
is orthogonal to our concerns, and indeed both choice operators behave identically over our 

denotational model. The parallel composition Pi || P2 requires Pi and P2 to synchronise 

A 
(i.e., handshake) on all events in A, and to behave independently of each other with respect 
to all other events. P ^ Q is the sequential composition of P and Q: it denotes a process 
which behaves like P until P chooses to terminate (silently), at which point the process 
seamlessly starts to behave like Q. P \ A is a process which behaves like P but with all 
communications in the set A hidden. The renamed process P[R] derives its behaviours from 
those of P in that, whenever P can perform an event a, P[R] can engage in any event b 
such that a R b. To understand the meaning of fiX . P, consider the equation X = P, in 
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terms of the unknown X. While this equation may have several solutions, it always has a 
unique leasly such, written jiX .P. Moreover, as it turns out, if fiX .P is livelock-free then 
the equation X = P has no other solutions. Lastly, the process DIV represents livelock, 
i.e., a process caught in an infinite loop of silent events. 

A CSP term is closed if every occurrence of a variable X in it occurs within the scope 
of a fiX operator; we refer to such terms as processes. We denote by CSP the set of all 
CSP processes and by CSP the set of all CSP terms, both open and closed. 

Let us state a few conventions. When hiding a single event o, we write P \ a rather 
than P \ {a}. For R a renaming relation on S and f7 C S, we denote by R{U) the set 
{y\3xGU.xRy}. The binding scope of the fiX operator extends as far to the right 
as possible. We also often express recursions by means of the equational notation X = P, 
rather than the functional ^X . P. 

Let us also remark that CSP processes are often defined via vectors of mutually re- 
cursive equations. These can always be converted to our present syntax, thanks to Bekic's 
theorem [281 Chap. 10] Ij Accordingly, we shall freely make use of the vectorised notation 
in this paper, viewed as syntactic sugar. 

3. Operational and Denotational Semantics 

We present congruent (equivalent) operational and denotational semantics for CSP. For 
reasons of space, some details and clauses are omitted. An extensive treatment of a variety 
of different CSP models can also be found in |2H |22] . The semantics presented below only 
distill those ideas from |2H [22] that are relevant in our setting. 

3.1. Operational semantics. The operational semantics is presented as a list of inference 
rules in SOS form. In what follows, a stands for a visible event, i.e., belongs to S'^. ACS 
and A'^ = Au{/}. 7 can be a visible event or a silent one (7 € S'^U {r}). P — > P' means 
that P can perform an immediate and instantaneous 7-transition, and subsequently become 
P' (communicating 7 in the process if 7 is a visible event). If P is a term with a single 
free variable X and Q is a process, {Q/X]P represents the process P with Q substituted 
for every free occurrence of X. 



{a^ P) ^P SKIP ^ STOP 



Pi n P2 ^ Pi Pi n P2 — ^ P2 



The relevant partial order is defined in 



Section 3 



Our rules for livelock detection require that processes be defined using the fixed-point operator /i, as 
opposed to systems of mutually recursive process definitions. Bekic's theorem expresses fixed points of self- 
maps on the product space X x y in terms of fixed points of self-maps on the respective components X and 
Y. For example, consider a mutually recursive process definition of the form P = f{P, Q), Q — g{P, Q). The 
idea is first to define a parameterised fixed point of g via the expression iiY.g{X,Y), and then substitute 
in the expression for P, yielding P = ^X.f{X,^Y.g{X,Y)). This process can be generalised to transform 
mutually recursive definitions of arbitrary dimension into expressions using only the single-variable fixed- 
point operator ^. 
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^X.P^ [(/iX.P)/X]P DIV ^ DIV . 

These rules allow us to associate to any CSP process a labelled transition system (LTS) 
representing its possible executions. We say that a process diverges if it has an infinite path 
whose actions are exclusively r's. A process is livelock-free if it never reaches a point from 
which it diverges. 

3.2. Denotational semantics. The denotational semantics ascribes to any CSP process 
a pair (traces_L(P),divergences(P)), where traces_L(P) = traces(P)Udivergences(P) C S*"^ is 
the set of all finite visible-event traces that P may perform, and divergences(P) C traces_L(P) 
is the set of traces after which it may divergelj Following |22j . we write T^ for the set of 
pairs {T,D) S P(S* ) x P(S* ) satisfying the following axioms (where ^" denotes trace 
concatenation) : 

(1) DCT. 

(2) s^{/) G D implies s G P>. 

(3) T C T,*"^ is non-empty and prefix-closed. 

(4) s G D n S* and t G S*'^ implies s"~'t G D. 

Axiom 4 says that the set of divergences is postfix-closed. Indeed, since we are only 
interested in detecting divergence, we treat it as catastrophic and do not attempt to record 
any meaningful information past a point from which a process may diverge; accordingly, 
our semantic model takes the view that a process may perform any sequence of events after 
divergence. Thus the only reliable behaviours of a process are those in T — D. 



Standard models of CSP also take account of the liveness properties of a process by modelling its refusals, 
i.e., the sets of events it cannot perform after a given trace. However, this information is orthogonal to our 
concerns: the divergences of a process are independent of its refusals — see |21l Section 8.4]. 
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traces{STOP) = {{)} 
nacesiSKIP) = {{),{/)} 
traces{DIV) = 
traces(a — > P) = {{)} U {{a)'^t \ t G traces(P)} 
traces(P □ Q) = traces(P) U traces(Q) 
traces(P n Q) = traces(P) U traces(Q) 

traces(P ? Q) = (traces(P) n S*) U {f^s \ t^{/) G traces(P), s G traces((3)} 
traces(P \ A) = {t f (S \ A) | t G traces(P)} 
traces(P[P]) = {t \ 3s £ traces(P) .sRt} 

traces(P II Q) = I J{s lU I ■s e traces(P),f G traces(Q)} 



A ^ A 



Figure 1: The model T^: inductive rules for calculating traces. 

Axiom 2 reflects the intuition that / represents successful termination. In particular, 
there is no way a process may diverge after a / unless it is already divergent. 

Given a process P, its denotation [PJ = (traces_L(P), divergences(P)) G T^ is calculated 
by induction on the structure of P; in other words, the model T^ is compositional. The 
complete list of clauses can be found in |2H Chap. 8], and moreover the traces and diver- 
gences of a process may also be extracted from the operational semantics in straightforward 
fashion. We provi de the ind uctive rules in Figures [T] and [2] to facilitate the proofs. In the 



last three rules in Figure 2, r ranges over S* , in accordance with Axiom 4. The lifting 
of the renaming relation R to traces is carried out ele ment- wise. The precise definition of 
s II t in the rule for parallel composition is presented in 



A 



Figure 3 



Definition 3.1. A process P is livelock-free if divergences(P) = 0. 

3.2.1. Reasoning About Infinite Traces. In general, reasoning about livelock requires rea- 
soning about infinite behaviours. Hiding a set of events ^ C S from a process P introduces 
divergence if P is capable of performing an infinite unbroken sequence of events from A. 
Although our model only records the finite traces of a process, the finitely branching nature 
of our operatorgH entails (via Konig's lemma) that a process may perform an infinite trace 
u if and only if it can perform all finite prefixes of u. In other words, the set of finite traces 
of a process conveys enough information for deducing the set of its infinite traces as well. 
To keep the notation simple, given an infinite trace u G T,'^ , we will write 

u G traces'^ (P) whenever {t G S* | t < -u} C traces(P), 

where < denotes the strong prefix order on T,°° = S* U Ti^. Furthermore, we will write 
traces'^ (P) to denote traces(P) U traces'^ (P), the set of all finite and infinite traces of P. We 



AH CSP operators are finitely branching under the assumptions that the alphabet E is finite and that 
there is no unbounded nondeterminism 1211. 
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divergences(S'TOP) 

clivergences(S'iriP) 

divergences(Z)/y) 

divergences(a — > P) 

divergences(P □ Q) 

divergences(P Fl Q) 

divergences(P , Q) 

divergences(P \ A) 

divergences(P[P]) 
divergences(P || Q) 

A 



: {(a)'~"t I t G divergences(P)} 

: divergences(P) U divergences((5) 

: divergences(P) U divergences((5) 

: divergences(P) U {t^~^s \ t'^(/) G traces_L(P), s G divergences((5)} 

: {(t \ (E \ A))^r I t £ divergences(P)} U 

{{u \ (S\A))^r I uG S'^,u f (S\yl) finite, Vt < u . t G traces_L(P)} 

: {f^r I 3 s G divergences(P) fl S* . s P t} 

: {u'^^r I 3s G traces j_(P), 3 1 G traces^lQ) .uG{s\\tri S*), 

A 

{s G divergences(P) or t G divergences(Q))} 



Figure 2: The model T^: inductive rules for calculating divergences. 
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'"s {b)^t = {{b)^u u G {a)^s t} 
A A 
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~^s (a)'~'t = {{a)'^u u G s t} 
A A 




{ar 


-s II (a')'^t = {} if a /a' 
A 




{br 


^s II {b')'~^t = {b-'^u \u£s\\ {b')'^t} U {6" 
A A 


~"u\ u £ {b)^~'s t} 
A 



Figure 3: Interleaving operator on traces (where s,t G T,* , A C S , a G A, b ^ A). 

note that traces in traces'^ (P), and hence finite prefixes thereof, cannot contain /, which 
denotes successful termination. 

We now state the semantic properties we use in case of infinite traces. The proofs for 
all lemmas can be found in Appendix [A} 



Lemma 3.2. Let u G traces'^ (a 

u = {a)'^u' . 



P). Then there exists u' G traces'^ (P) such that 
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Lemma 3.3. Let u G traces'^ (P Q) for G {Q,n}. Then u G traces'^(P) or u e 
traces'^ (Q). 

Lemma 3.4. Let u G traces'^ (P ? Q). Then u G traces'^(P) or u = f^u' with t^'{/) G 
traces(P), u' G traces'^ (Q). 

Lemma 3.5. Let u G traces'^(P \ A) and P \ A be livelock-free. Then there exists v G 
traces'^ (P) such that u = v \ {T,\A). 

Lemma 3.6. Let u G traces'^(P[P]). Then there exists v G traces'^(P) such that v Ru. 

Lemma 3.7. Let u G traces'^(P || Q). Then there exist ui G traces°°(P) and U2 G 

A 

traces°° (Q) such that u £ ui \\ U2, and ui G S"^ or U2 G T,^ . 

A 

3.2.2. Handling Recursion. We interpret recursive processes in the standard way by intro- 
ducing a partial order C on T^. We write (ri,P>i) Q (^2,^*2) if P2 C Ti and D2 C Di. 
In other words, the order on T^ is reverse inclusion on both the trace and the divergence 
components. The resulting partial order (7"'^, !^) is a complete lattice. The bottom element 
of (7''^, E) is (S* , S* ), i.e., the denotation of the immediately divergent process DIV. The 
top element is ({()}, 0), i.e., the denotation of the immediately deadlocking process STOP. 
The least upper bound and the greatest lower bound of a family {(Ti, Di) \ i £ 1} are given 
by UieiiTi, Di) = {f]i^, Ti,f],^j Di) and nie/l^i, A) = (Uie/ ^i' Uie/ A), respectively. 

It is readily verified that each n-ary CSP operator other than recursion can be inter- 
preted as a Scott-continuous function (T^-^)"- — >■ T^. The continuity of hiding rests on our 
assumption that S is finite (cf. |2H Lemma 8.3.5]). By induction we have that any CSP 
expression P in variables Xi, . . . , Xn is interpreted as a Scott-continuous map (7"^)" — ). T^ . 
Recursion is then interpreted using the least fixed point operator fix : \T^ — )• T^] — t- T^. 
For instance [[/uX.X]] is the least fixed point of the identity function on T^, i.e., the imme- 
diately divergent process. Our analysis of livelock-freedom is based around an alternative 
treatment of fixed points in terms of metric spaces. 

4. A Family of Metrics 

In what follows, we make repeated use of standard definitions and facts concerning metric 
spaces. We refer the reader who might be unfamiliar with this subject matter to the 
accessible text [26j. 

Let F{X) be a CSP term with a free variable X. F can be seen as a selfmap of T^. 
Assume that there exists some metric on T^ which is complet^ and under which P is a 
contractiorrl Then it follows from the Banach fixed point theorem |26] that F has a unique 
(possibly divergent) fixed point ^X .F{X) in F^. Furthermore, starting from any point in 
F^, iterated application of F is guaranteed to converge to this unique fixed point. 

There may be several such metrics, or none at all. Fortunately, a class of suitable metrics 
can be systematically elicited from the sets of guards of a particular recursion. Roughly 



A metric space (T*, d) is complete if every Cauchy sequence converges. 

A selfmap F on a metric space (T*, d) is a contraction if there exists a non-negative constant c < 1 such 
that, for any P,Q € T^, d{F{P), F{Q)) ^ c • d{P, Q). Intuitively this means that the distance between any 
P, Q€ T^ is s trictly greater (by some factor) than the distance between their image under F, as depicted 



in Figure 4(a) 
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iP) 



(Q) 



(a) A contractive map (b) A nonexpansive map 

Figure 4: Contractive and nonexpansive maps. 
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speaking, the metrics that we consider are all variants of the well-known 'longest common 
prefix' metric on traceq [ which were first studied by Roscoe in his doctoral dissertation |20j . 
and independently by de Bakker and Zucker [2]. The reason we need to consider such 
variants is that hiding fails to be nonexpansiv^ in the 'longest common prefix' metric. For 
instance, the distance between the traces (a, a, b) and (a, a, c) is |. However, after the event 
a is hidden, the distance becomes 1. The solution, in this particular case, is to change the 
definition of the length of a trace by only counting non-a events. To formalise these ideas 
let us introduce a few auxiliary definitions. These are all parametric in a given set of events 
C/C S. 

Given a trace s G S*'^, the f7- length of s, denoted lengthy (s), is defined to be the 
number of occurrences of events from U occurring in s. Given a set of traces T C S* and 
n G N the restriction of T to [/-length n is defined hy T \i/ n = {s £ T \ length jy(s) ^ n}. 
We extend this restriction operator to act on our semantic domain T^ by defining (T, D) \if 
n = {T',D'), where 

(1) D' = DU {s^t I s e T n S* and length^(s) = n}. 

(2) r = D'U{s£T\ length[;(s) ^ n}. 

Thus P \u n denotes a process which behaves like P until n events from the set U have 
occurred, after which it diverges unless it has already terminated. It is the least process 
which agrees with P on traces with [/-length no greater than n. 
We now define a metric djj on T^ by 

duiP, Q) = inf{2-" \P\un = Q\un} , 

where the infimum is taken in the interval [0, 1]. 

Proposition 4.1. Let [/ C S. Then (l~^,du) is an ultrametric space. 

Proof. It is easy to prove that {T^, djj) satisfies the following laws for each P,Q,R G T^: 



In this metric the distance between two traces s and t is the infimum in [0, 1] of the set 
{2^*^ I s and t possess a common prefix of length k}. I.e., the longer prefix two traces share, the closer they 
are, with the standard lifting to sets of traces and, therefore, to processes. 

'^^A selfmap F on a metri c space (T^, d) is nonexpansive if, for any P,Q £ T^, d{F{P), F{Q)) ^ d{P, Q), 
as illustrated in Figure 4(b) 
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duiP,Q) = <^ P = Q diagonal law 

du{P,Q) = du{Q,P) symmetry 

duiP,Q) < di/{P,R) + dij{R,Q) triangle inequality 

du{P,Q) < uiax{di/{P, R),du{R,Q)) ultrametric inequality 

The proofs for the first two laws are trivial. Regarding the triangle and ultrametric laws, 
let us suppose that di/{P,R) = 2~"', du{R,Q) = 2""^ and k = min(n, m). Then, P \ij k = 
R\u k = Q \u k. Therefore, 

du{P, Q) < 2"^ = max{du{P, R),du{R, Q)) < du{P, R) + du{R, Q). 

D 

Notice that the function U ^^ djj \s antitone: if [/ C y then du ^ dy, i.e., for any 
P,Q^ T^, du{P, Q) > dv{P, Q)- In particular, the greatest of all the djj is d0; this is the 
discrete metric on T^. Furthermore, the least of all the du is ds; this is the standard metric 
on r^ as defined in HH Chap. 8]. 

Proposition 4.2. Let [/ C S. Then T^ equipped with the metric djj is a complete ultra- 
m,etric space and the set of livelock-free processes is a closed subset ofT^. Furthermore, if 
F : T^ —7- F^ is contractive with respect to du, then F has a unique fixed point given by 
lim„_j.oo F^[STOP). (Note that this fixed point may be divergent.) 



Proof. By Proposition 4.1, {F^,du) is an ultrametric space. The proofs that (F^,du) is a 



complete metric space and that the set of livelock-free processes is a closed subset of T^ 



are presented in Appendix B (as Proposition B.2 and Proposition B.3, respectively). 

Let F : T^ — )■ T^ be contractive with respect to du- Since {T^,du) is a complete 
metric space, it follows from Banach's fixed point theorem \26\ [2T] that F has a unique 
fixed point given by lim„_>.oo F^{6), where 6 can be any element of T^ and, in particular, 
the process STOP. The unique fixed point may or may not be livelock free, however. Q 

In the rest of this paper, the only metrics we are concerned with are those associated 
with some subset of S; accordingly, we freely identify metrics and sets when the context is 
unambiguous. 

4.1. Nonexpansiveness of CSP operators. Let us fix [/ C S. The following lemmas 
prove that each CSP operator, other than recursion, is at least nonexpansive with respect 
to du in each of its arguments (for some operators we need to impose certain conditions). 



Proofs can be found in Appendix C 



Lemma 4.3. For any CSP processes P, P' , Q, and Q' the following inequalities hold: 
du{P nQ,P' UQ)< du{P, P') and du{P □ Q, P □ Q') < du{Q, Q') 
du{P nQ,P'nQ)< duiP, P') and duiPnQ,Pn Q') < duiQ, Q') 
du{P ',Q,P'',Q)< du{P, P') and du{P ", Q,P ", Q') < du{Q, Q') 

du{P II Q, P' II Q) < duiP, P') and du{P II Q, P II Q') < duiQ, Q')- 
A A A A 

Lemma 4.4. Let P and Q be CSP processes and let a £ T,. Then: 

du{a -^P,a^Q)< du{P, Q). 

Furthermore, if a £U, then the inequality is strict. 
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Lemma 4.5. Let P and Q be CSP processes and let A (^Ti satisfy ACiU = f/i. Then: 

du{P\A,Q\A)<du{P,Q). 

Lemma 4.6. Let P and Q be CSP processes, i? C S x S be a renaming relation on S and 
R{U) = {y\ 3x£U.x Ry}. Then: 

dn(u)iP[R],Qm<du{P,Q)- 

Lemma 4.7. Let P, Q and Q' be CSP processes. Let P always communicate an event from 
U before it does a /. Then: 

du{P°,Q,P°,Q')<ldu{Q,Q'). 

5. Static Livelock Analysis 

We present an algorithm based on a static analysis which conservatively flags processes that 
may livelock. In other words, any process classified as livelock-free really is livelock-free, 
although the converse may not hold. 

Divergent behaviours originate in three different ways, two of which are non-trivial. The 
first is through direct use of the process DIV; the second comes from unguarded recursions; 
and the third is through hiding an event, or set of events, which the process can perform 
infinitely often to the exclusion of all others. 

Roscoe [211, Chap. 8] addresses the second and third points by requiring that all recur- 
sions be guarded, i.e., always perform some event prior to recursing, and by banning use 
of the hiding operator under recursion. Our idea is to extend Roscoe's requirement that 
recursions should be guarded by stipulating that one may never hide all the guards. In 
addition, one may not hide a set of events which a process is able to perform infinitely often 
to the exclusion of all others. This will therefore involve a certain amount of book-keeping. 

5.1. Nonexpansiveness and guardedness. We first treat the issue of guardedness of the 
recursions. Our task is complicated by the renaming operator, in that a purported guard 
may become hidden only after several unwindings of a recursion. The following example 
illustrates some of the ways in which a recursion may fail to be guarded, and thus diverge. 

Example 5.1. Let S = {a, 6, ao,ai, . • • , fln} and let R = {(aj,ai+i) | ^ i < n} and 
S = {(a, 6), {b,a)} be renaming relations on S. Consider the following processes. 

(1) nX.X. 

(2) nX .a — > {X\a). 

(3) fiX.{a^{X\ b)) n{b — >{X\ a)). 

(4) ^X . (ao -^ (X \ an)) n (ao -^ X[R]). 

(5) fiX . SKIP na^{X', {X[S] \ b)). 

The first recursion is trivially unguarded. In the second recursion the guard a is hidden 
after the first recursive call. In the third process the guard in each summand is hidden 
in the other summand; this process will also diverge once it has performed a single event. 
In the fourth example we cannot choose a set of guards which is both stable under the 
renaming operator and does not contain a„. This process, call it P, makes the following 
sequence of visible transitions: 

pJ^P\an^ P[R] \ a„ ^ P[R] [i?] \ a, ^ . . . ""-^ P[R] [R] . . . [R] \ a„. 
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But the last process diverges, since P can make an infinite sequence of oo-transitions wliich 
get renamed to a„ by successive applications of R and are then hidden at the outermost 
level. 

A cursory glance at the last process might suggest that it is guarded in {a}. However, 
similarly to the previous example, hiding and renaming conspire to produce divergent be- 
haviour. In fact the process, call it P, can make an a-transition to P , {P[S] \ b), and 
thence to {P[S] \ b)[S] \ b via two r-transitions. But this last process can diverge. D 

The intuitions underlying our definitions of nonexpansiveness and guardedness are as 
follows. Let [/ C S be fixed, giving rise to a metric du on T^, and let P = P{X) be 
a CSP term with a single free variable X. Then P — viewed as a selfmap on T^ — is by 
definition contractive with respect to du (with contraction factor 1/2) provided that, for 
every Ti, T2 G T^, it is the case that 

du{P{Ti),P{T2)) < ^du{Ti,T2). (5.1) 

Now if P happens to apply a one-to-one renaming operator R to its argument, say, then 
it becomes necessary to rephrase Equation |5.1| above as requiring that 



dv{P{Ti), P{T2)) < Uu{Ti,T2) , (5.2) 

where dy is a new metric such that R{U) = V. Indeed, since P renames events in U to 
ones in V, the distance between P{Ti) and P{T2) must be measured with respect to the 
renamed events, rather than the original ones. 

This leads us to the concept of a function that is contractive with respect to two different 
metrics du and dy, in which the first metric is used to measure the distance between two 
inputs, whereas the second metric measures the distance between the corresponding two 



outputs of the function under consideration — see Figure 5 Following our convention of 
identifying sets and metrics, we would say that P is contractive in the pair (U, V). 

This reasoning needs to be slightly refined in order to handle non-injective renamings 
as well as hiding. Our goal is then to define, by induction on the structure of CSP terms, 
a function Cx '■ CSP — > V{V{T,) x 'P(S)), which associates to each CSP term P{X) a set 



of pairs of metrics {U, V) such that Equation 5.2 holds. Of course, such a definition would 



also need to handle terms with several free variables (in addition to X), which can be done 
using a standard projection. 

It turns out that, in order to define such a function Cx, it is first necessary to compute 
a function Nx ■ CSP — > P(P(S) x Vi^)) which calculates, for every CSP term P(X), 
a set of pairs of metrics {U, V) such that P is nonexpansive in (U,V), following the same 
convention of measuring the distance between inputs via the metric du and the distance 
between outputs via the metric dy- 

It is also necessary to calculate an auxiliary function G : CSP — > V(V{T,)), which itself 
depends on a certain function F : CSP — > ViViY^) x 'P(S)). This may seem problematic, 
since (as we shall see) F itself depends on Cx, but this mutual recursion is well-defined 
because uses of F in the definition of G only occur on subterms, and likewise for uses of G 
in Cx and uses of Cx in F. 

We provide the intuitions underlying the definitions of G and F later on, as these 
functions are introduced. For now let us finally remark that all the functions that we 
define are conservative underapproximations, i.e., sound, but not necessarily complete. For 
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Figure 5: P is contractive in {U,V), i.e., when the distance between inputs is measured 
with du and the distance between outputs is measured with dy- 



example, Nx(-P) as defined below generates some but not necessarily all of the pairs of 
metrics that witness the nonexpansiveness of P. 

Intuitively, the role of Nx(-P) is to keep track of all hiding and renaming in P. The key 
property of the function Nx is given by the following proposition. 

Proposition 5.2. Let P{X, Yi, . . . , Y^) = P{X, Y) be a CSP term whose free variables are 
contained within the set {X,Yi, . . . ,Yn}. Let Nx ■ CSP — > V{V{Ti) x 'P(S)) be defined 



recursively on the structure of P as shown in Figure 6 If {U,V) G Nx{P), then for all 
ri,r2,0i,...,0„ gT^, we havedv{P{Ti,0),P{T2,0)) < du{Ti,T2). 



NxiP) - 


= P(S)x 


V{T.) whenever X is not free in P 


, otherwise: 




Nxia^P)-- 


= Nx(P) 












Nx{Pi(BP2)-- 


= Nx(Pi) 


nHx{P2) 


ifeE{n,n,?, 11} 

A 








Nx(^\^) = 


= {{U,V) 


\{U,V')^ 


Nx{P) AV'nA = 


0Ay' C 


V} 




Nx{P[R]) - 


= {{U,V) 


\{U,V')e 


NxiP) /\ RiV) Q 


V} 






Nx(X) : 


= {iU,V) 


\U<ZV} 










NxifiY.P)-- 


= {{U,V) 


liu'X)^ 


lHx{P)A{V',r) 


G Ny(P) 


AU^U' aV 
iiY ^X 


^V} 



Figure 6: Nonexpansive sets. 



Proof. The proof proceeds by structural induction on P and is presented in Appendix D 



D 

Note that, by construction, Nx(-P) is always downwards- closed in its first component 
and upwards-closed in its second component, which is sound due to antitoneness (if C/ C [/' 
then djj ^ du')- Some of the rules are plainly straightforward, whereas others (hiding and 
especially recursion) require careful thought. An intuition for correctness is probably best 
obtained by an examination of the proof. 
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We now move to the function G. Intuitively, G(P) C 'P(S) lists the 'guards' of / for 
P. Formally: 

Proposition 5.3. Let P{X, Yi, . . . , Yn) = P{X, Y) be a term whose free variables are con- 
tained within the set {X, Yi, . . . , Yn}. If V & G(P), then, with any processes — and in par- 
ticular DIV — substituted for the free variables of P, P must communicate an event from V 
before it can do a / . D 



The inductive clauses for G are given in |FigureT As mentioned earlier, note that these 



make use of the collection oi fair sets F(Pj) of Pi, which is presented later on in Section 5.2 
The definition is nonetheless well-founded since F is here only applied to subterms. The 
salient property of F(-Pi) 7^ is that the process Pi is guaranteed to be livelock-free. The 
proof for Proposition |5.3| proceeds by structural induction on P and is presented together 



with Proposition D.l in [Appendix D 



G{STOP) 


= P(S) 


G{a^P) 


= G{P)U{V\aeV} 


G{SKIP) 


= 


G(Pi e P2) 


= G(Pi)nG(P2) ifeG{n,n} 


G(Pi ^ P2) 


^ r G(Pi) U G(P2) if Pi is closed and F(Pi) / 
1^ G(Pi) otherwise 


G(Pi II P2) 

A 


^ r G(Pi) U G(P2) if, for i = 1, 2, Pi is closed and f{Pi) / 
" \ G(Pi) n G(P2) otherwise 




r {V\V' e G(P) AV'nA = (/}AV' <ZV} if P is closed and 


G{P\A) 


= { (0,S-A)gF(P) 




otherwise 


GiP[R]) 


= {V\V' e G(P) A R{V') C V} 


G{X) 


= 


GifiX.P) 


= G(P) . 



Figure 7: Guard sets. 

We are now ready to define Cx(P) Q ^(5^) ^ ^(^)) whose central property is given by 
the following proposition. 

Proposition 5.4. Let P{X, Yi, . . . , Yn) = P{X, Y) be a term whose free variables are con- 
tained within the set {X,Yi, . . . ,Yn}. Let Cx '■ CSP — > V{V{Ti) x 'P(S)) be defined re- 



cursively on the structure of P as shown in Figure 8 If {U,V) E Cx(P), then for all 
T,,T2,ei,...,dnen, we have dv{P{Ti,e),P{T2,e)) < yu{Ti,T2). 

Proof. The proof proceeds by structural induction on P and is presented together with 
Proposition |D.l in Appendix [D] D 
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Cx(P) - 


= V{T,) X V{T.) whenever X is not free in P; otherwise: 


Cxia^P)-- 


= CxiP)U{iU,V)GNxiP)\aeV} 


Cx{Pi(BP2)-- 


= Cx{Pi)nCx{P2) ifeG{n,n,||} 

A 


CxiPi °, P2) - 


= Cx{Pi) n {Cx{P2) U {(^7, V) G Nx(P2) 1 V G G(Pi)}) 


Cx{P\A)-- 


= {([/, V) 1 ([/, V) £ Cx{P) A V n A = ^ A V c V} 


Cx{P[R]) - 


= {([/, V) 1 ([/, V) G CxiP) A i2(y') C V} 


Cx{X) -- 


= 


CxipY.P)-- 


= {([/, V) 1 ([/', y') G Cx{P) A (y, y') g Ny{p) au cu' aV cv} 




\iY i-X . 



Figure 8: Contractive sets. 

Note that contraction guarantees a unique fixed point, albeit not necessarily a livelock- 
free one. For instance, P{X^ = (o — > X \ b) □ {fj,Y .b — > Y) has a unique fixed point 
which can diverge after a single event. 

5.2. Fair sets and hiding. In order to prevent livelock, we must ensure that, whenever 

a process can perform an infinity | unbroken sequence of events from a particular set A, 

then we never hide the whole of A. To this end, we now associate to each CSP term P a 
collection of (pairs of) fair sets F(P) C V{T,) x V(T,): intuitively, this allows us to keep 
track of the events which the process is guaranteed to perform infinitely often in any infinite 
execution of P. As with nonexpansiveness and contractiveness, the potential presence of 
renaming and hiding requires us separately to keep track of events performed by the input 
processes and the output (or compound) process. 

Given a set VF C S, we say that a process is P^-fair if any of its infinite traces contains 
infinitely many events from W. We now have: 

Proposition 5.5. Let P{Xi, . . . ,X„) = P{X) be a CSP term whose free variables are con- 
tained within the set {Xi, . . . ,Xn}. Let F : CSP — > ■p('P(S) x V{T,)) be defined recursively 



on the structure of P as shown in Figure ^ If {U,V) G F(P), then, for any collection of 



livelock- free, U-fair processes 61, ... , On G T^ , the process P{9i, . . ■ , On) is livelock-free and 
V-fair. 

Proof. The proof proceeds by structural induction on P and is presented together with 
Proposition |D.l in Appendix [D] D 



1 9 
Recall our understanding that a process can 'perform' an infinite trace ilT it can perform all its finite 

prefixes. 



16 OUAKNINE ET AL. 



f{STOP) = P(S) X P(S) 

F(a ^P) = F(P) 

f{SKIP) = P(S) X P(S) 

F(PieP2) = F(Pi)nF(P2) ifeG{n,a,0 

F(Pi II P2) = (F(Pi) n F(P2)) u 

{iUinU2,Vi) I (C/i,Fi) G F(Pi) A (C/2,^) G F(P2)}U 
{{UinU2,V2) I (f/2,1^2) G F(P2) A {Ui,A) G F(Pi)} 

F(p \A) = {([/, y) I {u, V') G F(p) A y' n A = A F' C F} 

F(P[P]) = {([/, y) I (U, V) G F(P) A RiV) C y} 

F(x) = {(c/,y)|f/cy} 

F^ X p)^ j {iU,V)\{W,W)eCx{P)nf{P) AU ^W QV} if/iX.Pisopen 
l-l^^ ■ n - I -p^j.) X |y I (ly^ VF) G Cx{P) n F(P) A VF C y} otherwise . 



Figure 9: Fair sets. 

Note that, by construction, F(P) is always downwards-closed in its first component and 
upwards-closed in its second component; this is sound since if [/ C f/' and P is U-fair, then 
P is automatically C/'-fair as well. 

We now obtain one of our main results as an immediate corollary: 

Theorem 5.6. Let P be a CSP process (i.e., closed term) not containing DIV in its syntax. 
If F(P) 7^ 0, then P is liv clock- free. 

Proof. Let F(P) / and {U, V) G F(P) for some C/, F C S. Since P is closed, P has no free 
variables. Then, by Proposition |5.5[ P is livelock-free (and T^-fair). Q 



Theorem 5.6 gives rise to a procedure for establishing livelock- freedom of a given process 
P over alphabet S, whose complexity is at most quadratic in the syntactic size of P and 
exponential in the cardinality of S: indeed, for fixed S, one computes Nx{Q), G(Q), Cx{Q), 
and F{Q) for every variable X appearing in P and every subterm Q of P. Since the number 
of variables and the number of subterms are both at most linear in the size of P, the 
computation is at most quadratic in P. On the other hand, each of Nx(<5), Cx(<5), and 
F{Q) is a collection of pairs of subsets of S, whereas Q{Q) is a collection of subsets of S. 
Thus for S not fixed, these pieces of data are potentially exponentially large. 

In practice, applications often make use of moderately large alphabets, making the di- 
rect set-based approach described above prohibitively expensive. However, an inspection of 
the rules defining Nx(<5), G((5), Qx{Q)i and F{Q) reveals that these objects can be repre- 
sented symbolically, either as prepositional formulas or as BDDs — further implementation 
details are provided in Section [7} As a result, the problem of deciding whether F(P) 7^ 
can be seen to lie in NP. 
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6. Structurally Finite-State Processes 

The techniques developed in Section [5] ahow us to handle the widest range of CSP processes; 
among others, they enable one to establish livelock-freedom of numerous infinite-state pro- 
cesses including examples making use of infinite buffers or unbounded counters. Such pro- 
cesses are of course beyond the reach of explicit-state model checkers such as FDR. In order 
to create them in CSP, it is necessary to use devices such as recursing under the parallel 
operator. In practice, however, the vast majority of processes tend to be finite state. 

Let us therefore define a CSP process to be structurally finite state if it never syntacti- 
cally recurses under any of parallel, the left-hand side of a sequential composition, hiding, 
or renaming. 

More precisely, we first define a notion of sequential CSP terms: STOP, SKIP, and X 
are sequential; if P and Q are sequential, then so are a — > P, P n Q, P O Q, and fiX . P; 
and if in addition P is closed, then P ^ Q, P \ A, and P[R] are sequential. Observe that 
sequential processes give rise to labelled transition systems of size linear in the length of 
their syntax. 

Now any closed sequential term is deemed to be structurally finite state; and if P and Q 

are structurally finite state, then so are a — > P, P \1 Q, P O Q, P \\ Q, P ^ Q, P \ A, and 

A 
P[R]- Note that structurally finite-state CSP terms are always closed, i.e., are processes. 

Let us write SFS to denote the collection of all structurally finite-state processes. 

Whether a given process is structurally finite state can easily be established by syn- 



tactic inspection, for example by using Bekic's theorem |28] (see Section 2) and analysing 
the resulting fi expression. For such processes, it turns out that we can substantially both 
simplify and sharpen our livelock analysis. More precisely, the computation of nonexpan- 
sive and contractive data is circumvented by instead directly examining closed sequential 
components in isolation. Furthermore, the absence of free variables in compound processes 
makes some of the earlier fairness calculations unnecessary, thereby allowing more elaborate 
and finer data to be computed efficiently, as we now explain. 

Let u be an infinite trace over S, and let -F, C C S be two sets of events. We say that 
u is fair in F if, for each a ^ F, u contains infinitely many occurrences of a|__| and we say 
that u is co-fair in C if, for each b € C, u contains at most finitely many occurrences of b. 
We lift this to sets of traces in the following way: let T C T,^ be a set of infinite traces over 
S, and let J^ = {(-Fi, Ci), . . . , {Fk, Ck)} ^ ^(5^) x '^(5^) be a collection of pairs of subsets 
of S. We say that T is fair/ co- fair in J- provided that, for every infinite trace u G T, there 
exists a pair (Fi, d) G J-' such that u is both fair in Fi and co-fair in Cj. 

Our aim is the following. Given a structurally finite-state process P, we wish to com- 
pute: 

• a Boolean-valued livelock flag 5{P) £ {true, false}, together with 

• a collection of pairs of disjoint sets $(P) = {{Fi,Ci), ..., {Fk, Ck)} C P(S) x P(S), 
such that if S{P) = false, then (i) P is livelock- free, and moreover (ii) traces'^ (P) is fair/co- 
fair in ^{P). 



6.1. Handling Sequential SFS Processes. For P a sequential SFS process, let us denote 
by Mp its associated labelled transition system as derived from the operational semantics; 
let us assume that we construct Mp so that all states are reachable from the initial state. As 



Note that this notion of 'fairness' differs from that used in the previous section. 
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noted earlier, Mp has size linear in the syntactic description of P. We can then compute the 
livelock flag 5{P) and the set of fair/co-fair pairs ^{P) = {(i^i, Ci), . . . , {Fk, Ck)} exactly, 
directly from Mp. More precisely, we set 6{P) to true or false depending on whether or 
not P can eventually diverge, i.e., whether Mp contains a r-cycle. This can be carried out 
using Tarjan's algorithm in time linear in the number of states in Mp. 

Assuming the livelock flag S{P) is false, we compute the set of fair/co-fair pairs $(-P) as 
follows. We add a pair of disjoint sets of events {F, C) to $(-P) if and only if Mp comprises 
some inflnite trace which is fair in F and co-fair in C. Note that if P has no infinite trace, 
^{P) will therefore be empty. 

It is worth pointing out how the computation of ^(P) can be achieved efficiently. Given 
a non-empty set L C S of events, we delete all (S — L)-labelled transitions from Mp. If the 
resulting graph contains a (not necessarily reachable) strongly connected component which 
comprises every event in L, we include (L, S — L) as a fair/co-fair pair for P, and otherwise 
we do not. 

Of course, in actual implementations, it is likely not desirable to iterate explicitly over all 
possible subsets of S. The computation we described can be carried out symbolically using 
a Boolean circuit of size polynomial in P, using well-known circuit algorithms for computing 
the transitive closure of relations. Consequently, $(P) can be represented symbolically and 
compactly either as a BDD or as a propositional formula. Further implementation details 
are provided in Section 7 and Appendix G[ 



6.2. Compositional Rules for SFS Processes. 



Theorem 6.1. Let P he a structurally finite- state process. Let ^ : SFS — > ViViTi) xP(S)) 
and 5 : SFS — > {true, false} be defined recursively on the structure of P as shown in 
Figures [To| and \11\ respectively. Then, if 6{P) = false, P is livelock- free. Moreover, if in 
addition ^{P) = {(Pi, Ci), . . . , (Pfc, Ck)}, then, for every infinite trace u of P, there exists 
1 < i < k, such that u is both fair in Fi and co-fair in Ci. 



The proof of Theorem |6.1| proceeds by structural induction on P and is presented in 
Appendix [Ej 

Note that by construction, all fair/co-fair pairs of sets thus generated remain disjoint; 
this is key in the rule for parallel composition, where the fair/co-fair data of individual sub- 
components enables one to rule out certain pairs for the resulting parallel process. Also, as 



shown in the proof of Theorem 6.1 whenever (P, P) appears as a fair/co-fair pair in some 
<I>(P), P is never empty. 

Let us also remark that the 5 clause for the hiding operator is here phrased in a way 
so as to make the rule as intuitively clear as possible. In practice, one however need 
not iterate over all possible pairs {F,C) S <I>(P): it is simpler instead to evaluate the 
negation, an existential calculation which is easily integrated within either a SAT or BDD 
implementation. 



6.3. Static Livelock Analysis Algorithm. Theorems |5.6| and |6.1| yield a conservative 
algorithm for livelock- freedom: given a CSP process P (which we will assume does not 
contain DIV in its syntax), determine first whether P is structurally finite state. If so, 
assert that P is livelock-free if S{P) = false, and otherwise report an inconclusive result. If 
P is not structurally finite state, assert that P is livelock-free if F(P) ^ 0, and otherwise 
report an inconclusive result. 
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$(P) = computed from P's LTS (see Section 6.1) 



whenever P is a sequential SFS process; otherwise: 

$(a ^ P) = $(P) 

^(AeP2) = ^(-Pi)u$(P2) ifeejn, 0,0 

HPi II P2) = {(F, C) I F n C = A (Fi, a) G $(P) for i = 1, 2 A 

F = Fi U F2 A 

c = (Ci n A) u (C2 n A) u ((Ci - A) n (C2 - A))} u 

{(F, C7) I (F, C7) G $(Pi) A F n yl = 0} U 
{{F, C) I (F, C7) G $(P2) A F n yl = 0} 
$(F \ yl) = {(F - A, C7 U ^) I (F, C) G $(F)} 
$(P[P]) = {{F,C) I (F',C") G $(F) A F' C R~\F) A F C P(F') A 
C = {6g S| p-i(6) cc'}} . 

Figm'e 10: Fair/co-fair sets. 



5(F) = 




= computed from F's LTS (see Section 6.1) 


^vhenever F is a sequential SFS process; otherwise: 


5(a -^ P) = 


= 6{P) 


<5(Fi e F2) = 


= 6{Pi)v 6{P2) ifeG{n,n,||,5} 

A 


SiP\A)^- 


. f false if 6{P) = false and, for each (F, C) G $(F), F - A / 
1^ true otherwise 


diP[R]) = 


= SiP) ■ 



Figure 11: (5-bit. 



The complexity of this procedure is in the worst case quadratic in the syntactic size of 
P and exponential in the cardinality of S, by invoking a similar line of reasoning as that 
presented following Theorem 



5.6 



Likewise, determining for an SFS process P whether S{P) 

is true is easily seen to lie in NP. 

It is perhaps useful to illustrate how the inherent incompleteness of our procedure can 

manifest itself in very simple ways. For example, let F = a — > Q and Q = {a — > P) □ 

(6 — > Q), and let R = {P \\ Q) \ b. Using Bekic's procedure, R is readily seen to 

{aM 

be (equivalent to) a structurally finite-state process. Moreover, R is clearly livelock-free, 

yet (5(F) = true and F(F) = 0. Intuitively, establishing livelock-freedom here requires some 

form of state-space exploration, to see that the 'divergent' state (Q || Q) \b of R is in fact 

{a,b} 
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unreachable, but that is precisely the sort of reasoning that our static analysis algorithm is 
not geared to do. 

Nonetheless, we have found in practice that our approach succeeded in establishing 
livelock- freedom for a wide range of existing benchmarks; we report on some of our ex- 
periments in [Section 7 and also present in [Appendix F a small case study illustrating the 



intuitions underlying the rules given in Figures 10 and 11 



We conclude by noting that, for structurally finite-state processes, Theorem 6.1 



IS 



stronger than Theorem 5.6, i.e., it correctly classifies a larger class of processes as be- 



ing livelock-free, as stated in the following proposition. Empirically, algorithms based on 



Theorem 6.1 have also been found to run considerably faster in practice. 



Proposition 6.2. For any structurally finite-state process P, ifV{P) ^ then 5{P) = false. 



Proof. A proof sketch is given in Appendix E, D 



7. Implementation and Experimental Results 

We have implemented both the general framework and the framework for structurally finite- 
state processes in a tool called SLAP, which is an acronym for Static Livelock Analyser 
OF Processes. Computationally, the crux of our algorithms revolves around the generation 
and manipulation of sets. The algorithms fit very naturally into a symbolic paradigm; hence 
SLAP is fully symbolic. The choice of an underlying symbolic engine is configurable, with 
support for using a SAT engine (based on MiniSAT 2.0), a BDD engine (based on CUDD 
2.4.2), or running a SAT and a BDD analyser in parallel and reporting the results of the first 
one to finish. Some details regarding the symbolic part of our frameworks and algorithms 
are presented in [Appendix G 



We have also integrated the framework for analysing structurally finite-state processes 
directly into FDR [1], where it now constitutes an alternative back-end for establishing 
livelock freedom. The binaries for the latter can be downloaded from the following location: 

[http : //www . cs . ox . ac . uk/pro j ect s/concurrency- tools/slap/| 

We experimented with a wide range of benchmarks, including parameterised, paral- 
lelised, and piped versions of Milner's Scheduler, the Alternating Bit Protocol, the Sliding 
Window Protocol, the Dining Philosophers, Yantchev's Mad Postman Algorithm [29j , as 

well as a Distributed Database algorithm] | In all our examples, internal communications 

were hidden, so that livelock-freedom can be viewed as a progress or liveness property. All 
benchmarks were livelock-free, although the reader familiar with the above examples will 
be aware that manually establishing livelock-freedom for several of these can be a subtle 
exercise. 

In all cases apart from the Distributed Database algorithm, SLAP was indeed correctly 
able to assert livelock-freedom (save for rare instances of timing out). (Livelock-freedom 
for the Distributed Database algorithm turns out to be remarkably complex; see [21j for 
details.) In almost all instances, both BDD-based and SAT-based implementations of slap 
substantially outperformed the state-of-the-art CSP model checker FDR, often completing 
orders of magnitude faster. On the whole, BDD-based and SAT-based implementations 
performed comparably, with occasional discrepancies. All experiments were carried out 



Scripts and descriptions for all benchmarks are available from the website associated with |22| 
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on a 3.07GHz Intel Xeon processor running under Ubuntu with 8 GB of RAM. Times in 
seconds are given in Table [l| with * indicating a 30-niinute timeout. 



Benchmark 


FDR Static 


Static 


Benchmark 


FDR Static 


Static 






(BDD) (SAT) 






(BDD) (SAT) 


Milner-10 





0.06 


0.05 


SWP-1 





0.03 


7.06 


Milner-15 





0.19 


0.14 


SWP-2 





0.46 


* 


Milner-20 


409 


0.63 


0.28 


SWP-3 





46.81 


* 


Milner-21 


948 


0.73 


0.23 


SWP-l-inter-2 





0.04 


14.84 


Milner-22 


* 


0.93 


0.25 


SWP-l-inter-3 


31 


0.06 


24.02 


Milner-25 


* 


1.63 


0.41 


SWP-l-inter-4 


* 


0.08 


29.44 


Milner-30 


* 


7.56 


0.8 


SWP-l-inter-7 


* 


0.13 


58.82 










SWP-2-inter-2 
SWP-2-inter-3 
SWP-l-pipe-2 
SWP-l-pipe-3 
SWP-l-pipe-4 
SWP-l-pipe-5 
SWP-l-pipe-7 


170 

* 





3 

246 
* 


0.71 
0.94 
0.04 
0.07 
0.09 
0.10 
0.14 


* 


ABP-0 

ABP-O-inter-2 
ABP-O-inter-3 
ABP-O-inter-4 
ABP-O-inter-5 
ABP-O-pipe-2 
ABP-O-pipe-3 
ABP-O-pipe-4 





23 

* 

* 


9 


0.03 
0.03 
0.06 
0.08 
0.09 
0.04 
0.06 
0.08 


0.11 
0.23 
0.35 
0.47 
0.63 
0.35 
0.75 
1.27 


* 

28.09 

66.71 

121.09 

192.39 

399.55 


175 


Philosophers-5 





0.30 


0.10 


ABP-O-pipe-5 


* 


0.10 


1.85 


Philosophers-7 


2 


1.62 


0.21 


ABP-O-pipe-6 


* 


0.11 


2.91 


Philosophers-8 


20 


2.51 


0.35 


ABP-4 
ABP-4-inter-2 



39 


0.11 
0.16 


* 
* 


Philosophers-9 
Philosophers- 10 


140 
960 


3.98 
7.49 


0.50 
0.72 


ABP-4-inter-3 


* 


0.22 


* 


Mad Postman-2 





0.06 


0.03 


ABP-4-inter-7 


* 


0.39 


* 


Mad Postman-3 


6 


* 


0.20 


ABP-4-pipe-2 


12 


0.38 


* 


Mad Postman-4 


* 


* 


0.89 


ABP-4-pipe-3 


* 


0.38 


* 


Mad Postman-5 


* 


* 


4.21 


ABP-4-pipe-7 


* 


0.39 


* 


Mad Postman-6 


* 


* 


20.75 



Table 1: Times reported are in seconds, with * denoting a 30- minute timeout. 



8. Future Work 

An interesting property of our approach is the possibility for our algorithm to produce a 
certificate of livelock-freedom, consisting among others in the various sets supporting the 
final judgement. Such a certificate could then be checked by an independent tool. 

Other directions for future work include improving the efficiency of slap by incorporat- 
ing various abstractions (such as collapsing all events on a given channel, or placing a priori 
bounds on the size of sets), or conversely increasing accuracy at modest computational 
cost, for example by making use of algebraic laws at the syntactic level, such as bounded 
unfoldings of parallel compositions. 
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Appendix A. Proofs for Section 13.2.11 
Throughout the section we wih use the foHowing notation. For every u G S"^ and i £ N 



we wiU denote by Ui the prefix of u of length i. Then, as explained in Section 3.2.1 
u G traces'^ (P) if and only if for each i G N, itj € traces(P) n S*. Let us recall that for 
every i G N, Ui cannot contain / and is therefore an element of S*. We will frequently 
make use of the following observation which relies on the set traces(P) being prefix-closed. 
If Ui G traces(i-') for infinitely many i G N, then Ui G traces(P) for all i G N and, therefore, 
u G traces'^ (P). Most proofs will be based on Konig's Lemma, which we now recall. 

Theorem A.l (Konig's Lemma). Suppose that for each i £ N, Xi is a non-empty finite 
set and fi : ATj+i -^ Xi is a total function. Then there is a sequence {xi \ i £ N), such that 
Xi G Xi and fi{xi+i) = Xi. D 

In our proofs we will define the sets Xi as specific subsets of traces(P) n S*. For 
each i G N, Xj G Xj and Xj+i G A'j+i, fi{xi^i) = Xi will imply that Xi < Xj+i, where 
< denotes the strict prefix order of traces on S*. For a given Xj+i G ATj+i, the choice 
for /i(xj+i) might not be unique, but we can take an arbitrary prefix Xi of Xj+i from Xi 
satisfying certain properties. Then the sequence {xi \ i G N) will form an infinite chain 
xq < xi < X2 < ■ ■ ■ Xn ■ ■ ■ under prefix and x = lim^Q Xj G traces'^ (P). 



Lemma 3.2, Let u G traces'^(a — > P). Then there exists u' G traces'^(P), such that 



u = {a)'^u' . 

Proof. Let u G traces'^ (a — > P). By definition, for each t < u, t £ traces(a — > P). Then, 

for each t < u, t = (a)^t' for some t' G traces(P). Let u = {a)'^u' for some u' G S"^. Then, 

for each t' < u', t' G traces(P). Therefore, by definition, u' G traces'^(P). D 



Lemma |3.3| , Let u G traces'^(P Q) for G {^jn}. Then u G traces'^(P) or u £ 



traces'^ (Q). 

Proof. Let u G traces'^ (P 0(5). By definition, for each i G N, lij G traces(P0(5). Therefore, 
for each i G N, Uj G traces(P) or Ui G traces((5). Then, due to the pigeonhole principle, 
Ui G traces(P) for infinitely many i G N or Uj G traces((5) for infinitely many i G N. Let 
without loss of generality the former holds. Then, Ui G traces(P) for all i G N and, hence, 
u G traces'^ (P). D 



Lemma 3.4[ Let u G traces'^(P ^ Q). Then u G traces'^(P) or u = t^u' with t^{/) G 



traces(P), u' G traces'^ (Q). 

Proof. Let u G traces'^ (P ? Q). By definition, for each i G N, Uj G traces(P ^ Q). Therefore, 
for each i G N, Uj G traces(P) or Ui = ti^t2 with ti^(/) G traces(P) n S*-^, t2 G 
traces((5) n S*. If for each i G N, Uj G traces(P), then, by definition, u G traces'^ (P). 
Otherwise, there exists N £ N, such that uq, ui, . . . , ujy G traces(P), but un+i ^ traces(P). 
Therefore, for j > 1, ujy^j ^ traces(P). By assumption, for every i G N, Uj G traces(P 5 Q). 
Therefore, for j > 1, un^j = tj^'Vj where tj^'{/) G traces(P) (and therefore tj < un) 
and Vj G traces{Q). Then, there must be some t < un, such that tj = t for infinitely many 
liAT+j's. Let us write Uj = f^Wj for j > |t|. We have that t'~^{/) G traces(P) and infinitely 
often Wj G traces((5). Since for j < j', Wj < Wj', and the set of traces is prefix-closed, 
Wj G traces((5) for each j > \t\. Then, by definition, u' = lim°^u| Wj G traces'^(Q)- D 
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Lemma 3.5[ , Let u G traces'^ (P \ A) and P \ A be livelock-free. Then there exists 



V e traces'^(P), such that u = v \ (S\A). 

Proof. Let u G traces'^ (P \ A). By definition, for eacli i G N, Uj G traces(P \ A), i.e., there 
exists Vj. G traces(P), sucli tliat Ui = fj. \ {T,\A). 

Let, for i G N, \"H^i) = {^^ G traces°°(P) | v \ (S\^) = Ui}. We claim that, for each 
i G N, \~^(uj) is finite. Suppose, for the sake of the argument, that \^^{uk) is infinite. 
We will prove that P \ A is divergent, which will be a contradiction with P \ A being 
livelock-free. Let Uk = (ai,a2, . . . a^). It is clear that {ai,a2, . . . , a^} n A = 0. Then, 
\-i(ufc) = {{A* U A^) ai (A* U A^) as {A* U A'^) . . . {A* U A"^) Uk (A* U ^^)) n traces°°(P). 
Let for i G {0, . . . ,k — 1}, n^ be the maximum number of occurrences of consecutive events 
from A before the occurrence of Oj+i and let n^ be the maximum number of consecutive 
events from A after a^. Then, for i = {0, . . . , fc}, nj G N U {u}. Since \~"^(Mfc) is infinite, 
there exists j E {0, . . . ,k}, such that Uj = to. Let jmin be the minimal j with this property. 
Then, for i < jmin, rn G N. Let v G (A*aiyl*a2A* . . . A*aj^.^A'^) n traces'^ (P). Therefore, 

V \ {T\A) = (ai,a2, . . . Ojj^^jjj) = Uj^_^_^^^ G divergences(P \ A) which is a contradiction with 
P \ A being livelock-free. Hence, for i = {0, . . . , A;}, rij G N and therefore, \~^{uk) is finite. 
Therefore, for each i G N, we have: 

(1) Y^iui) / because Ui G traces(P \ A) 

(2) \-\ui) is finite 

(3) For each j > i, for each w G \~^{uj), there exists v G \^^(uj), such that v < w. 
The trace f can be defined as an arbitrary prefix of w of (S\j4)-length i. 

Therefore, by Konig's Lemma, there exists an infinite sequence Vj-^ < ^j2 < • • • < Wj„ < 
. . ., such that for i G N, Vj. G \~^{ui), i.e., Vj. G traces(P) and Ui = fj- \ {Ti\A). Therefore, 

V = lim,^o % G traces'^ (P) and u = v \ {T.\A). D 



Lemma 3.6, Let u G traces'^ (P[P]). Then there exists v G traces'^(P), such that v Ru. 

Proof. Let u G traces'^ (P[P]). By definition, for each i G N, Uj G traces(P[P]) n S*. 
Therefore, for each i G N, there exists Vj. G traces(P) n S*, such that Wj. P Uj, i.e., 
length (uj) = length (wj J = i and for each < k < i, Vj^{k) R Ui{k). Let, for i G N, 
R~^{ui) = {-u G traces(P) | v R m}. Then, for i G N: 

(1) P"^(ui) / because Ui G traces(P[P]) 

(2) R~^{ui) is finite because S, and therefore R, are finite 

(3) For each j > i and each w G R~^{uj), there exists u G R^^{ui), such that v < w. 
The trace f can be constructed as the prefix of w of length i. 

Therefore, by Konig's Lemma, there exists an infinite sequence Vj-^ < ^j2 < • • • < ^j„ < 
..., such that for i G N, Vj^ G R~^{ui), i.e., Uj. G traces(P) and Wj. P m. Therefore, 
V = lim^o % S traces'^ (P) and t^ P «. D 

Lemma 



3.7, Let u G traces'^(P || Q). Then there exist ui G traces°^(P), U2 G traces°°((5), 
I A 

such that u £ ui \\ U2 and, ui G T,^ or U2 G T,^ . 
A 

Proof. Let u G traces'^(P || Q). Then, by definition, for each n G N, there exist fj,^ G 

A 

traces(P) n S* and Wj^ G traces(Q) n S*, such that u„ G Vi„ \\ Wj„ and n < \vi^\ + |wj,J < 

A 
2n. Therefore, for each such triple iun,Vi„,Wj^) there exists a function /" : {1, . . . ,n} i— )• 
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{0, 1, 2} specifying a possible interleaving of Vi^ and Wj^ for obtaining n„. More specifically, 

/"(i) indicates which process contributes for communicating the i-th event of u„, with 

denoting both P and Q (for events in A), 1 denoting only P, 2 denoting only Q. Given 

Un = (oi, • • • On) and /", Vi^ and Wj^ are identified uniquely as fi„ = (a^ | 1 < i < ra, f'^{ai) C 

{0, 1}), u;,„ = (a, I 1 < i < n, /"(a,) C {0, 2}). 

Let us define a partially ordered set ((S* )^,<) with {v,w) < {v',w') iS v < v' and 

w < w' , where < denotes a non-strict prefix on traces. We will prove that there exists an 

infinite chain (wjjjWj^) < . . . < {vi^,Wj„) < . . ., such that for each n G N, Vi^ £ traces(P), 

Wj^ G traces(Q), n„ G Vi^ \\ Wj^. 

A 

Let for k gN, \\ (uk) = {iv^^,,■Wj^^) \ Vi^ G traces(P), tt;jj^ G traces{Q), Uk G fj^^ || Wj^^}. 
A A 

Then: 

(1) II (uk) / because Ui G traces(P || Q). 

A A 

(2) II (uk) is finite because S is finite. 

A 

(3) For each k > I and each ivif.,Wj^) g|| ("Ufc), there exists {vii,Wji) g|| (u;), such 

A A 

that (f i, , Wji ) < (f j^ , Wj^ ) . The pair of traces (v^ , Wj^ ) can be constructed as follows. 

Let for the triple {uk,Vi^,Wj^) the function f'^ : {l,...,n} i— )■ {0,1,2} specifies a 

possible interleaving of Vi^, and Wj,, for obtaining n^. We define /'(i) = /'^(i) for 

I < i < I. Then, (vi^jWj^) is the pair that is uniquely identified by / and ui. 

Therefore, by Konig's Lemma, for each n G N, there exist (wj^, t«jj < (vi^, Wj^) < . . . < 

{vi^jWj^), such that for each 1 < A; < n, Wj^ G traces(P), Wj,^ G traces((5), Ufc G Vif. \\ Wj^, 

A 
k < \vij + \wjj < 2k. Let v = lim^j^Uj^, w = lim'^^i Wj^.. Then clearly, v G traces°^(P), 

w G traces'^ (Q) and u G f || w. Let us assume that both v and w are finite, i.e., |t;| = ly, 

A 

\w\ = Iw for some IvJw £ N. Then, each prefix of u will be of length at most /^ + /^ G N, 
which is a contradiction with u being infinite. Therefore, at least one of v and w is infinite. 

D 
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Appendix B. Proofs for Section [4] 

Lemma B.l ( |26l Lemma 9.2.5]). In any metric space, if s is a Cauchy sequence that has 
a subsequence that converges to a point x, then s also converges to x. D 

Proposition B.2. Let U ^Ti. Then T^ equipped with the metric djj is a complete metric 
space. 

Proof. We will prove that every Cauchy sequence converges. 

Let {Pi I i G N) be a Cauchy sequence in {T^ ,du). By definition, for every e > 0, there 
exists iVe S N such that, for every n, ttt, > N^^ du{Pn,Pm) < £• Therefore, for every r G N 
and e = 2"'", there exists Nr £ N such that, for every n,m > Nr, du{Pn, Pm) < 2~^, i.e., 
Pn \u r = Pm \u r. Then, for every r, m G N, du{PNr,PNr+m) < 2~'"- Therefore, the 
subsequence (P/v^ | r G N) of (Pj | i € N) is itself a Cauchy sequence. 

Let us define P = ngeNUr>i7 -^A^r- ^ ^ '^^ because (T^,C) is a complete lattice. We 
will prove that the subsequence (P/v^ | r S N) converges to P, i.e., that for every r S N, 
du{PNr,P)<2-'-. 

Let us fix r. Suppose, for the sake of the argument, that du{PNr^ P) ^ "2' and let, with- 
out loss of generality, Pjy,. and P disagree on the sets of their divergences. Therefore, there 
exists t G S*'^ such that length^(t) < r and, either t G divergences(PAr^)\divergences(P) or 
t G divergences(P)\divergences(P/v^). To remind, by construction we have divergences(P) = 
U gpjP|^> divergences(P/v^). We explore both alternatives. 

• Suppose t G divergences(Pjv,,)\divergences(P). Since t divergences(P), for ev- 
ery gr G N there exists Sq > q such that t divergences(P/v^ ). Therefore, for 
q = r there exists Sr > r such that t divergences(P/v^, ). Hence, since t G 
divergences(PAr^) and length^(t) < r, du{PN^,PN^^) > 2^^ which is a contradic- 
tion with du{PNr^PNr+m) < 2"'' for m > 0. 

• Therefore, t G divergences(P)\divergences(PAr^). Since t G divergences(P), there 
exists g G N such that for every s > q, t € divergences(Pjv^). However, as t ^ 
divergences(PAr^) and length{/(t) < r, for every s > r, t ^ divergences(P/vJ which 
again leads to a contradiction. 

Therefore, for every r G N, du{Pj\f^, P) < 2~^ and, hence, the subsequence (Pat^ | r G N) 



converges to P. Therefore, from Lemma B.l, (Pj | i G N) also converges to P and, hence. 



{T^, djj) is a complete metric space. D 

Proposition B.3. Let U '^ T,. Then the set of livelock-free processes is a closed subset of 
{T\du). 

Proof. Let (Pj | i G N) be a sequence of livelock-free elements of T^ converging to a process 
Q G T^ . Therefore, by definition, for every e > 0, there exists A^ G N such that, for every 
n> N, du{Pn, Q) < £• We will prove that Q is also livelock-free. 

Suppose for the sake of the argument that Q can diverge. Let t G divergences(Q) and 
lengthy (t) = k. If we take e = 2~^, since (Pj | z G N) converges to Q, there exists Aj G N 
such that, for every n > Nt, du{Pn, Q) < 2~^ and, therefore, Pn \u ^ = Q \u k. Therefore, 
for every n > Nt, t G divergences(P„), which is a contradiction with (Pj | i G N) being all 
livelock-free. 

Therefore, Q is livelock-free and, hence, the set of livelock-free processes is closed. D 
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Appendix C. Proofs for Section 14.11 
Throughout this section let us fix a set of events [/ C S. 



Lemma 4.3 (91). For any CSP processes P, P' , and Q: 

du{P°,Q,P'',Q)<du{P,P'). 

Proof. Suppose {Tp,Dp) \u k = {Tpi,Dpi) \u k. We will prove that {Tp^,Q , D p^^q) \u k = 
{Tpi'^Q^Dpi^^q) !"[/ fc, from which we can conclude that du{P ^ Q, P' ^ Q) < djj{P, P')- 

Let t G divergences(P 5 Q) and length^(t) < k. We will prove that t G divergences(P' ^ 
Q) and therefore, Dp^^g \u k CI Dpi-^q \ij k. The reverse containment is established similarly 
by symmetry. 

Since t G divergences(P , Q), by definition, t G divergences(P) or t = ti'^t2 with 
ti^^(/) G traces_L(P), t2 S divergences((5). We consider both cases. 

• Supposed G divergences(P). Since length^(i) < k and {Tp, Dp) \u k = {Tp',Dp/) \u 
k, t ^ divergences(P'). Therefore, by definition, t G divergences(P' 5 Q). 

• Suppose t = ti^2 with ti^^{/) G traces_L(P), ^2 G divergences((5). Observe 
that lengthf;(ti'^(/)) = lengthf;(ti) < \engthjj{t) < k. Then, since {Tp,Dp) \u 
k = {Tp',Dp') \u k, ti'~"(/) G traces_L(P'). Hence, by definition, ti'^t2 = t G 
divergences(P' 5 Q). 

Now let t G traces_L(P ^ Q) and lengthy (t) < k. We will prove that t G traces j_(P' , Q) 
and therefore, Tp^Q \u k '^ Tpi-^Q \ij k. The reverse containment is established similarly by 
symmetry. Since t G traces_L(P , Q), t G divergences(P , Q) or t G traces(P , Q). The latter 
reduces to t G traces(P) n S* or t = ti^t2 with ti'^{/) G traces(P), ^2 G traces((5). We 
consider all three alternatives. 

• Suppose first that t G divergences(P 5 Q). We already proved that t G divergences(P' 5 
Q) and therefore, t G tracesx(P' 1 Q)- 

• Suppose now what t G traces(P) n S*. Therefore, t G traces_L(P) n S*. Then, since 
{Tp,Dp) \uk = {Tp,,Dp,) \uk,te traces±(P') n S*. 

- If t G traces(P') n S*, then by definition, t G traces(P' 1 Q) C tracesx(P' ^ Q). 

- If t G divergences(P') n S*, then by definition, t G divergences(P' ^ Q) C 
traces_L(P' 9 Q)- 

• Suppose finally that t = ti'^t2 with ti^~"(/) G traces(P), t2 G traces(Q). We note 
that length^(ti^(/)) = lengthf;(ti) < length^(t) < k. Then, since ti^(/) G 
traces(P) and {Tp,Dp) \u k = {Tp,,Dp,) \u k, ti^^i/) G traces_L(P')- 

- Let ii^(/) G traces(P'). By definition, t G traces(P' ? Q) C traces_L(P' 9 Q). 

- Let ii'~'(/) G divergences(P'). By Axiom 2 of T^ , ti G divergences(P'). Since 
ti G S*, by Axiom 4 of T^, t = ti^t2 G divergences(P'). Then by definition, 
t G divergences(P' ^ Q) C traces^ (P' ^ Q). 

Therefore, (Tp^^g, Dp^^q) \u k = (Tp/^^Q, Dp>^^q) \u k and, hence, du{P 9 Q,P' 9 Q) < 

du{p,p'). n 

Lemma 4.3 (92)' For any CSP processes P,Q, and Q' : 

du{P°,Q,P°,Q')<du{Q,Q'). 
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Proof. Suppose {Tq,Dq) \u k = {TQt,DQi) \u k. We will prove that {Tp^^q,Dp^^q) \u k = 
{Tp'^Qi , D p-^Qi) \u k, from which du{P ^ Q,P ^ Q') < dij{Q,Q') follows immediately. 

Let t G divergences(P 5 Q) and length[;(t) < k. 

• Suppose t € divergences(P). By definition, t G divergences(P , Q'). 

• Supposed = ti'^t2 withti'~~(/) G tracesi^(P), t2 G divergences(Q) and \ength^{t2) < 
lengthf;(t) < k. Since by assumption Dq \u k = Dq/ \i/ k, t2 G divergences((5')- 
Then by definition, t G divergences(P ^ Q'). 

Let t G traces_L(P ^ Q) and \ength^{t) < k. 

• Let first t G divergences(P ^ Q). We already proved that t G divergences(P , Q') and 
therefore, t G traces_L(P ^ Q'). 

• Let now t G traces(P)nS*. Then by definition, t G traces(P ^ Q') C traces j_(P ^ Q')- 

• Let finally t = ti'~'t2 with ti'^(/) G traces(P) C traces_L(P), ^2 £ traces(Q) C 
traces_L((5). Since \ength^{t) < k, lengthy (^2) < k. Then, by assumption, ^2 £ 
trace5±{Q'). 

- If t2 G traces(Q'), by definition, t = ti'^t2 G traces(P , Q') C traces_L(P ^ Q'). 

- Let t2 G divergences(Q'). Since ti'~"(/) G traces_L(P), by definition, t = 
ti'^t2 G divergences(P ^ Q') C traces_L(P ^ Q')- 

Therefore, Dp^g ft/ ^ ^ -^PiQ' fc/ k and Tp^Q ft/ ^ ^ Tp§Q' \u k. The reverse 
containments are established similarly by symmetry. Therefore, {Tpiq,Dp'^q) \u k = 
{Tp.Q',Dp.Qi) \u k and, hence, ^[/(P ? (3,P ? Q') < du{Q,Q')- D 



Lemma 4.7| , Let P, Q, and Q' be CSP processes. Let P always communicate an event from 



[/ C S before it does a /. Then: 

du{P ", Q,P ", Q') <Uu{Q,Q'). 

Proof. Suppose (Tq,Dq) \u k = {Tqi,Dq>) \u k. We will prove that (Tp^^q , D p^^q) \u 
k + l = {Tp.Q',Dp.Q,) \uk + l, which implies du{P ',Q,P',Q')< \du{Q, Q')- 

Let t G traces_L(P ^ Q) and \engt\\^{t) <k + \. 

• Suppose t G divergences(P 5 Q). 

- If t G divergences(P), by definition, t G divergences(P , Q') C traces_L(P ^ Q'). 

— Let t = ti^^t2 with ti'^{/) G traces_L(P), t2 G divergences((5) ^ traces_L((5). 
Since P always communicates an event from [/ C S before it can do a /, 
ti contains an event from U. Therefore, lengthy (^2) < k. Then, since by 
assumption {Tq,Dq) \u k = {Tq',Dqi) \u k, t2 G divergences(Q')- Therefore, 
by definition, t = ti'~'t2 G divergences(P ^ Q') C traces_L(P , Q'). 

• Suppose t G traces(P , Q). 

- lit £ traces(P) n S*, then by definition, t G traces(P ^ Q') C traces_L(P 9 Q')- 

— Let t = ti'~"t2 with ti'^'{/) G traces(P), ^2 G traces((5). Since P always 
communicates an event from [/ C S before it does a /, ti contains an event 
from U. Therefore, Iength[/(i2) < k. Then, by assumption, t2 G traces_L(Q'). 

* If t2 G traces(Q'), by definition, t = ti^^t2 G traces(P 5 Q') C traces^ (P ^ 

* Let t2 G divergences(Q'). Since ti'^'{/) G traces(P), by definition, t = 
ti^^t2 G divergences(P , Q') C traces_L(P , Q'). 
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Therefore, Dp^^q fc/ A; + 1 C Dp^g/ \u k + 1 and Tp^^q \u k + 1 <^ Tp.qi \u k + l. The 
reverse containments are estabhshed similarly by symmetry. Therefore, {Tp'^q,Dp'^q) \u 
k + l = {Tp.q,,Dp.q,) \u k + 1 and, hence, du{P ', Q,P ', Q') < \du{Q,Q'). D 



Lemma 4.3 (n). For any CSP processes P,P' , and Q: 

du{PnQ,P'nQ)<du{P,P'). 

Proof. Suppose (Tp,Dp) \u k = (Tpi,Dpi) \u k. We will prove that (Tp\^q,Dp\^q) \ij k = 
{Tp>nQ, Dp^nq) \u k, which directly implies du{P nQ,P' nQ) < du{P, P')- 

Let t G divergences(P n Q) and length^(t) < k. 

• Suppose t G divergences(P). By assumption, Dp \u k = Dpi \u k. Therefore, 
t G divergences(P') C divergences(P' n Q). 

• Suppose t G divergences((5). By definition, t G divergences(P' n Q). 

Let t G traces_L(-P n Q) and length^(t) < k. We have that traces_L(-P n Q) = traces(P n Q)U 
divergences(P n Q) = traces(P)Udivergences(P)Utraces((5)Udivergences((5) = traces_L(P)U 
tracesx((5). 

• Let t G traces_L(P). By assumption, Tp \u k = Tpi \u k. Therefore, t G 
traces_L(P') C traces_L(-P' n Q). 

• Let t G traces_L((5). By definition, t G traces_L(P' n Q). 

Therefore, Dp^q \u k (1 Dpi^q \u k and Tp^q \u k (1 Tp,^q \u k. The reverse 
containments are established similarly by symmetry. Therefore, {Tp\^q,Dp\^q) \u k = 
{Tp,nq, Dp,nq) \u k and, hence, du{P nQ,P'nQ)< du{P, P'). U 



Lemma 4.3 (□). For any CSP processes P,P' , and Q: 

du{PnQ,p'uQ)<du{P,P'). 

Proof. Same as for Fl. D 

(II). For any CSP processes P,P', and Q and any A C S.' 



Lemma 



4.3 



duiPW Q,P' II Q)<du{P,P'). 

A A 

Proof. Suppose {Tp,Dp) \u k = {Tpi,Dpi) \u k. We will prove that (^pllri' -^plln) ^u k = 

A A 

iTj„\\^,D u ) \u k, which directly implies du{P II Q,P' II Q) < du{P,P'). 

-T II V -T iiy A A 

A A 

Let t G divergences(P || Q) and length[;(t) < k. Therefore, t = u'^v with u G (s || r n S*), 

A A 

s G traces_L(P), r G traces_L((5) and, s G divergences(P) or r G divergences(Q). Let us recall 
that V ranges over S* , in accordance with Axiom 4. Let us observe that length(y(s) < 
length^(n) < length^(t) < k. Therefore, by assumption, s G traces_L(P'). 

• Let s G divergences(P). By assumption, s G divergences(P'). Therefore by defini- 
tion, t G divergences(P' || Q). 

A 

• Let r G divergences(Q). Since s G traces_L(P'), by definition, t G divergences(P' || Q). 
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Let t e traces_L(P || Q) and length^(t) < k. 

A 

• Suppose t G divergences(P || Q). We already proved that t G divergences(P || Q') C 

A A 

traces_L(-P' II Q)- 

A 

• Suppose t G traces(P || Q). Therefore, there exist s G traces(P) C traces_L(P), 

A 

r G traces((5) C traces_L((5), such that t G s || r. By assumption, s G traces_L(P'). 

A 

- If s G traces(P'), by definition, t G traces(P' || Q) C traces_L(-P' II Q)- 

A A 

- lis G divergences(P'), by definition, t G divergences(P' || Q) Q traces_L(P' || Q). 

A A 

Therefore, D^u^ \u k C D^<< \u k and Tpii \u k O T^^i \u k. The reverse 

A A A A 

containments are estabhshed similarly by symmetry. Therefore, iTp\\„,Dp\\„) \u ^ = 

A A 

(^P'llo'^P'llo) ^u k and, hence, du{P II Q,P' II Q) < du{P,P'). D 

^ II V ^ II w j^ j^ 

A A 



Lemma 4.5 , Let P and Q be CSP processes and let A C T, satisfy yl n C/ = 0. Then: 

du{P\A,Q\A)<du{P,Q). 

Proof. Suppose (Tp,Dp) \u k = {Tq,Dq) \u k. We will prove that (rp\A:^p\A) \u k = 
{Tq\a, Dq\a) \u k, which implies du{P \A,Q\A)< du{P, Q). 

Let t G divergences(P \ A) and length(y(t) < k. We consider the possible alternatives for t. 

• Suppose that there exists s G divergences(P), such that t = (s f (S\^))'~'r. Since 
Ar\U = 0, length{/(s) = length^(s f {T\A)) < \ength^{t) < k. Then, by assumption, 
s G divergences((5). Therefore, by definition, t G divergences((5 \ A). 

• Now suppose that there exists u G T,^ , such that u \ {T,\A) is finite, for each s < u, 
s G traces_L(P), and t = u\ {T,\A) ^ r. Since An C/ = 0, length^(n) = lengthf/(u \ 
{T\A)) < lengthy(t) < k. Then, by assumption, for each s < n, s G traces_L(Q). 
Hence t G divergences((5 \ A) follows by definition. 

Let t G traces_L(P \ A) and length^(t) < k. 

• Let first t G divergences(P \ A). We already proved that t G divergences((5 \ A) ^ 

traces_L(Q \ ^)- 

• Let now t G traces(P \ A). Therefore, there exists s G traces(P) C traces_L(P), 
such that t = s \ i^\A). From A n f7 = 0, length^(s) = length[;(s \ {T,\A)) = 
lengthy (t) < k. Then, by assumption, s G tracesj_((5). 

— If s G divergences(Q), by definition, t G divergences((5 \ A) ^ traces±{Q \ A). 

— If s G traces((5), by definition, t G traces((5 \ ^) ^ traces±{Q \ A). 
Therefore, Dp\^A \u k '^ ^Q\A \u k and Tp\^A fc/ A; C Tq\^a \u k. The reverse 

containments are established similarly by symmetry. Therefore, (7pw,Dp\^) \u k = 
{Tq\a, P>q\a) \u k and, hence, du{P \A,Q\A)< duiP, Q). D 
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Lemma |4. 6 Let P and Q be CSP processes, i? C S x S be a renaming relation on S and 



R{U) = {y\ 3xeU .X Ry}. Then: 

dn(u)iP[R],Qm<du{P,Q)- 

Proof. Suppose {Tp,Dp) \u k = {Tq,Dq) \u k. We will prove that (rp[^],Dp[^]) fK(^) 
k = iTQ[R],DQ[j^) f^((/) k. 

Let t G divergences(P[i?]) and length^(-^-)(i) < k. Then there exist si,ti G Il*,r G S*^, such 
that si G divergences(P) n S*, si i? ti and i = ti^^r. Then, length(si) = length(ti) and for 
1 < i < length(si), si- R ti-. Therefore, \engthjj{si) = \engt\^p^|^^^{tl) < length p(^^^{t) < k 
and, by assumption, si G divergences(Q) n S*. Hence, by definition, t G divergences((5[i?]). 

Let t G traces_L(P[i?]) and lengthj:j([;)(t) < k. 

• lit G divergences(P[i?]), we already proved that i G divergences(Q[i?]) C traces_L(Q[i?]). 

• Let t G traces(P[i?]). Then there exists s G traces(P), such that s R t. Therefore, 
lengthf;(s) = lengthj:j(f/)(t) < k and, by assumption, s G traces±{Q). 

- If s G traces((5), by definition, t G traces(Q[-R]) C traces^ (Q[i?]). 

- If s G divergences(Q), by definition, t G divergences(Q[i?]) C traces_L((5[i?]). 
Therefore, Dpj^j [^(,7) k C Dq^^j fp(^) /c and rp[^] tp([;) k C TQf^j [^(,7) /c. The 

reverse containments are established similarly by symmetry. Therefore, (Tp[^],Dpjj:j]) fp(;7) 
k = {Tq[r], Dq[r]) \r^u) k and, hence, dR(^u^{P[R\,Q[R]) < du{P, Q). D 
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Appendix D. Proofs for Section [5] 



Proposition 5.2, Let P{X,Yi, . . . ,Yn) = P{X,Y) be a CSP term whose free variables 



are contained within the set {X, Yi, . . . , Yn}- Let Nx '■ CSP — > V{V(Ti) x P(S)) be defined 



recursively on the structure of P as shown in Figure 6 If {U,V) G Nx{P), then for all 



T,,T2,0u...,enen, dv{P{Ti,0),P{T2,0)) <du{Ti,T2). 

Proof. Structural induction on P. Let us take arbitrary Ti, T2, ©i, . . . , &n G 7~^- 

• NxiP)='P{T.) X P(S) whenever X is not free in P. 

Proof Let {U,V) G Nx(P). Then du{Ti,T2) > = dy(P(ri, 0), P(T2, 0)) = 
dy(P(0),P(0)). D 

. Hx{a^P)=Ux{P). 

Proof. Suppose {U,V) G Nx(a — > P). By construction, {U,V) G Nx(-P). Then: 
du{Ti,T2) > dv{P{Ti,0),P{T2,0)) // induction hypothesis 

>dv{a — >P{Ti,e)^a — > P{T2,0))_ //Lemma 
= dviia -^ P){Ti,e), {a -^ P){T2,0)) 

D 

• Ux{P\ A)={{U, V) I {U, V) G Nx(P) A y n ^ = A y C V}. 

Proof. Suppose {U,V) G \^x{P \ A). By construction, there exists V' , such that 
{U, V) G Nx(P), V CV and V H A = 0. We will prove that for any Ti, Ts G T^, 
duiTi,T2) > dv{P{Ti,e) \ A,P{T2,0) \ A). 

du{Ti,T2) >dv'{P{Ti,O),P{T2,0)) // induction hypothesis 

> dv'iP{Ti,0) \ A,P{T2,0) \A) // V'nA = ^, Lemma 



4.4 



> if a G y 



4.5 



> dviP{Ti,0) \ A,P{T2,0) \A) // V OV,U^ du antitone 

D 

Nx(Pi e P2)=Nx{Pi) n Nx(P2) = {{Ui n U2,Vi U ^2) I {Ui,Vi) G Nx(P.)} for 

eG{n,a,5,||}. 

A 

Proof. Suppose {U,V) G Nx(-Pi © -P2)- By construction, there exist {Ui,Vi) G 
Nx(Pi) and {U2, V2) G Nx(P2), such that U = UinU2 and V = ViU V2. Therefore, 
{U,V) G Nx(Pi), (t/,^) G Nx(P2) (antitoneness). 

dv{{Pi e P2KTi,0), (Pi © P2)(r2,0)) 

= dy(Pi(ri,0)©P2(ri,0),Pl(T2,0)©P2(T2,0)) 

// ultrametric inequality 

<max{ (iy(Pi(ri,0)©P2(ri,0),Pi(r2,0)©P2(ri,0)), 

dv{Pl{T2, 0) © P2(Tl, 0), Pi(r2, 0) © P2(r2, 0))} 
// Lemma [43] 
< max{ dv (Pi (Ti , 0) , Pi (r2 , 0) ) I / < du (Ti , r2) by induction hypothesis for Pi 

dy(P2(ri,0),P2(r2,0))} // < du{Ti,T2) by induction hypothesis for P2 

<du{Ti,T2) a 
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. MxiPm={iU,V) I {U,V') G Nx{P)/\R{V') c V}. 

Proof. Suppose {U,V) G HxiP[R])- By construction, there exists V' , such that 

{U, V) £ NxiP) and R{V') Q V. 

du{Ti,T2) > dv'{P{Ti,0),P{T2,0)) // induction hypothesis 

> dR(^v'){P(.Ti,&)[R],P{^,0)[R]) II Lemma |l6 

> di/(P(ri,0)[i?],P(r2,0)[i?]) // i?(y') <LV,\J ^dv antitone 

D 
. Nx(x)={([/,y)|c/cy}. 



Proof. 

du{Ti,T2) >dv{Ti,T2) 



II U <^V, U >-^ du antitone 



D 



= dv{{X){T,,0),{X){T2,0)) 

• Mxif^Y .P)={{U,V) I iU',V') G Nx(-P) A {V',V') G Ny(P) A U ^ U' A V C V} 
iiY ^X. 

Proof. Suppose ([/, V) G Nx(m Y.P) ioiX^Y and X, Y free in P(X, Y,Zi, . . . ,Zn). 
By construction, there exist Ux-iVx ^ 5] such that: 

(1) {Ux,Vx)eHx{P) 

(2) C/CC7x, Vxcy 

(3) {Vx,Vx)£nY{P) 

Therefore, by induction hypothesis, for ah Ti,T2,^,0 G T^, we have: 

duATi,T2) > dvAP{Ti,C,0),P{T2,C,0)) (D.l) 

dv^{Ti,T2) > dv^{P{C,Tu0),P{^,T2,0)) (D.2) 

d{/(Ti,T2) > di/^{Ti,T2) 1 1 U CI Ux, antitoneness 

> dv^{P{Ti,C,0),P{T2,t0)) II fromlDtr 



Let Pi{Y) = P{Ti,Y,0), P2{Y) = P{T2,Y,0). Pi{Y) and P2{Y) are continuous 
over C. Therefore, there exist ^Y . Pi{Y) = 0^=0 ^f = ^i and /iF . P2(>") = 
n^Lo P2 = P2, where for i = l,2,PJ^ = ± = DIV, Pj^^' = P[P^). 

We win prove by induction that 

dvAPi^P2) < dux{Ti,T2) for n > 1. 

— Let n = 1. _ _ 

duATi,T2) >dv^{P{Ti,DIV,0),P{T2,DIV,0)) //from 

= dvAPi\Pi) 

- Suppose dvAPi^P2) < duATi,T2). 



(D.3) 



D.l 



rfyx(^I 



in+l pn+l\ 



= dv^(P(ri, Pf, 0), P(T2, P2", 0)) 

II ultrametric inequahty 

< max{dy^(P(Ti,Pf^),P(r2,Pf^)), 

(iy^(P(r2,Pf,0),P(r2,P2",0))} 

<max{du^{Ti,T2), //from 

dy^(P{^,P2")} //from 

< max{dux iTi,T2), 



D.l 



TX2 



C?l/x(^l)^2} 



// from 



<duATuT2) 



D.3 



local i.h. 
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Let dij^{Ti, T2) = 2^ for some fc G N. Now suppose for the sake of contradiction 
that dvx{PiiP2) > dux{TiiT2) = 2~^ and let, without loss of generality, P* and 
P| differ on the sets of their divergences. Therefore, again without loss of generality, 
there exists s e divergences(Pj*) such that s divergences(P|) and lengthy^ (s) < k. 
Then, since P* = n^=o ^"> « ^ Pf for aU n G N, but there exists / £ N such that 
s Pj- But then dvxiPi^Pi) > '^^^ = dux{'Pi,T2), which is a contradiction with 



Il3| Therefore, dvxiPt,P2) < dux{Ti,T2). Then, since U <^ Ux and Vx ^ V, by 
antitoneness, dyHfiY . P){Ti,9),{^iY . P){T2,0)) = dv{Pt,P^) <du{Ti,T2). D 

D 

Proposition D.l. Let P{X,Yi, . . . ,Yn) = P{X,Y) be a CSP term whose free variables 
are contained within the set {X, Yi, . . . ,1^}. Let G : CSP — > ViViT,)), Cx '■ CSP — > 
V{V{T,) X 'P(S)) and F : CSP — > V{V{T,) x P(S)) be defined recursively on the structure 
of P as shown in Figures 0, [^ and [^ respectively. Then: 

(1) IfVG G(P), then, with any processes substituted for the free variables of P (and in 
particular DIV), P must communicate an event from V before it can do a / . 

(2) If ([/, V) eCxiP), then for all processes Ti, Ta, ©i, . . . , 0„ G T^ , 
dv{P{Ti,0),P{T2,O)) < \du{Ti,T2). 

(3) If {U, V) G F(P), then, for any collection of U -fair livelock-free processes 9o, . . . ,9n & 
1~^, the process P{9o, . . . , 9n) is livelock-free and V-fair. 

Proof. We carry out the proof by induction on the structure of P. For clarity, we prove 
([I]), ([2]) and ([3]) one by one, in Propositions 5.3, 5.4 and |5.5[ respectively. In each of these 



propositions, our induction hypothesis is that at any point all (IT|, ([2]) and ([3]) hold for any 
subterm of P. D 



Proposition 5.3 , Let P{X, Yi, . . . , Y^) = P{X, Y) be a CSP term whose free variables are 
contained within the set {X, Yi, . . . , y„}. Let G : CSP — > V{V{T,)) be defined recursively on 
the structure of P as shown in Figure ?[ IfV£ G(P), then, with any processes substituted 



for the free variables of P (and in particular DIV J, P must communicate an event from V 
before it can do a / . 

Proof. Structural induction on P. We will write P to denote the result of substituting all 
free variables in P with the most general process _L = DIV . For each process ^, DIV C ^. 
Therefore, by monotonicity of CSP operators [21J, for any process term C{X), C{DIV) C 

• G{STOP) =P(S). 

Proof. STOP cannot terminate and, therefore, the property holds vacuously. D 

• G(a -^ P) = G(P) U{V\a€V}. 

Proof Let V € G{a — > P), t = s^(/) G traces_L(a'^^^P) = traces_L(a — > P). 
Therefore, t = (a)'~"r'~"(/) for some r G S* such that r'~'(/) G tracesx(P) and 
s = {a)'~^r. Since V G G(a — > P), by construction, V G G(P) or a G y. 

— Suppose V G G(P). Then, by induction hypothesis, r^(/) contains an event 
from V and, therefore, so do s and t. 

— Suppose a^V . Then t = {a)^r^^{^/) contains the event a £ V before /. 

D 
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• G{SKIP) =0. D 

• G(Pi e P2) = G(Pi) n G(P2) for e g {n, n}. 

Proof. Let V £ G(Pi P2) and t = s'^{/) G traces_L(Pr©P2) = traces±(Pi) U 
traces_L(P2)- Therefore, t e traces_L(Pi) or t e traces_L(P2). Let, without foss of 
generahty, t £ traces_L(Pi). By construction, V £ G(Pi). Then, by induction 
hypothesis, s contains an event from V. D 

G(Pi) U G(P2) if Pi is cbsed and F(Pi) / 



Cipop.j G(Pi)uG(P2) if Pi is cL 
(.[n , ^2j - I (^(p_^^ otherwise 



Proo/. Let V £ G(Pi ? P2) and t = s^{/) £ traces_L(Pi ^ P2). 

Let first Pi be cfosed and F(Pi) 7^ 0. Then, by Proposition D.l (31), Pi is hvelock- 



free and, therefore, divergences(Pi) = 0. Therefore, t = ti^"t2^"{/) with ti'^{/) £ 
traces(Pi) and t2^'(/) £ traces^ (P2). In this case by construction V £ G(Pi) U 
G(P2). Let without loss of generahty V £ G(Pi). Then, by induction hypothesis, ti 
contains an event from V and therefore so does t. 

Let now Pi be open or F(Pi) = 0. Then by construction V £ G(Pi). We consider 
the two possibihties for t. 

- t = ti'^t2'^{/) with ti^^{/) £ traces{Pi) and t2'^{/) £ traces_L(P2). Since 
V £ G(Pi), by induction hypothesis, ii contains an event from V and therefore 
so does t. 

— t £ divergences(Pi) and, therefore, t £ traces_L(Pi). Then again, by induction 
hypothesis, ti contains an event from V and therefore so does t. 

u 

r G(Pi) U G(P2) if, for i = 1, 2, Pi is cfosed and F(Pi) / 
y^' ~ \ G(Pi) n G(P2) otherwise 



G(Pi II P2 



Proof. Let V £ G(Pi || P2) and t = s^{/) £ traces_L(Pi II P2). 
A A 

Let first both Pi and P2 be cfosed, F(Pi) / and F(P2) / 0. Then, by Propo- 

(3), Pi and P2 are hvefock-free and, therefore. Pi || P2 is hvefock-free. 

A 



sition 



D.l 



Therefore, divergences(Pi || P2) = and traces_L(Pi || P2) = traces(Pi || P2). By 

A A A 

construction, V £ G(Pi) U G(P2). Let without loss of generality V £ G(P2). Since 

t £ traces(Pi || P2), then, due to distributed termination, there exist ti, ^2, such 

A _^ 

that ti^^{/) £ traces(Pi), t2^'{/) £ traces(P2) and t £ ti \\ ti. By induction 

A 
hypothesis, ^2 contains an event from V and therefore so does t. 

Otherwise, t £ traces(Pi || P2) or t G divergences(Pi || P2). We consider both 

A A 

alternatives. By construction, V £ G(Pi) n G(P2), i.e., V £ G(Pi) and V £ G(P2). 

— t = s'^{/) £ traces(Pi || P2). Then, due to distributed termination, there exist 

A ^^ ^^ 

ti, t2, such that ti^^{/) £ traces{Pi), t2^^{/) £ traces{P2) and t G ti || ti. By 

A 
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induction hypothesis, both ti and ^2 contain an event from V and therefore so 
does t. 

— t = s^^{/) G divergences(Pi || P2). Therefore, there exist si,S2,ii,t2, such 

A ^^ 

that h G traces^ (Pi), t2 G traces_L(-P2), si G (h II ^2) nS*, t = si^S2'^(/) 
A 

and, ii G divergences(Pi) or t2 G divergences(P2). Let without loss of generahty 

ti G divergences(Pi). Then ti G S* and therefore, ti '"'(/) G divergences(Pi). 

Since V G G(Pi), by induction hypothesis fi contains an event from V and 

therefore so does t. 

D 

• G{P[R]) = {V\V' e G(P) A P(y') c V}. 

Proof. Let y G G{P[R]). Then, by construction, there exists V G G(P) with 
R(y') C y. Let t = s'^(/) G traces^ (P[P]). Then, t G divergences(P[P]) or 
t G traces(P[P]). We consider both alternatives. 

— Suppose t = s'~"(/) G divergences(P[P]). Therefore, there exist si,S2,ri G 
S*, such that ri G divergences(P), ri P si and t = si^S2^(/). As ri G 
divergences(P), by Axiom 4, ri'~"{/) G divergences(P). Then, by induction 
hypothesis for P, ri contains an event from V . Since ri P si, si contains an 
event from RiV') ^ 1^. Therefore, since t = si'^S2^"(/), t contains an event 
from V . 

— Suppose t = s'^{/) G traces(P[P]). Therefore, there exist t',s' G traces(P), 
such that t' = s"~"(/) and s' R s. By induction hypothesis for P and t\ s' 
contains an event from V' . Since s' R s, s contains an event from R{V') C V 
and, hence, t contains an event from V. 

n 

{V\V' e G(P) A F' n ^ = A y C y} if P is closed and 
{P\A)= { (0,S-A)gF(P) 

5 otherwise 

Proof. Let V G G(P \ A) and let, furthermore, P be closed and (0, S - ^) G F(P). 
Then P does not have free process variables and by Proposition D.l O we can 
conclude the following: 

(1) P is livelock-free, i.e., divergences(P) = and traces_L(P) = traces(P). 

(2) Any infinite trace n of P contains infinitely many events from Ti\A and therefore 
u \ {Ti\A) is infinite. 

Let t = s^(/) G traces_L(P \ ^) = tracesx(P \ A). Then t G divergences(P \ A) 
or t G traces(P \ A). We consider both alternatives. 

— Let t = s'~'(/) G divergences(P \ A). As from ([I]) divergences(P) = (i.e., t 
cannot arise from a divergence of P), by definition there exists u G traces'^ (P) 
such that si = n f (S\A) is finite and t = Sl'~^S2^(^^)• However, by ([2]), u f 
(E\^) cannot be finite for any infinite trace u of P. Due to the contradiction, 
this case is not possible. 

— Therefore, t = s^^(/) G traces(P \ A). Therefore, there exists t' = s"^(/) G 
traces(P), such that s = s' |" (S\^). Since V G G{P \ ^), by construction 
there exists V G G(P) with V' '^V and V D A = 9. By induction hypothesis 
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for t' and P, s' contains an event from V' C V . But V r\ A = ^. Hence, 
s = s' \ (5]\y4) contains an event from V and therefore from V . 

u 
G(x) = 0. n 

G(/iX.P) = G(P). 

Pro of. L et V G G(/xX. P) and i = s""(/) e traces_L(/i'x7p). iIx7P_= {fiX . 
P)(DIV) = P* = ClZoP""^ where pO = DIV, P"+i = P(P",P7F). Since 
t G traces_L(P*), t € traces_L(P"), for each n E N. Therefore, t = s^(/) G 
traces_L(pi) = trace5±{P{DIV,DIV)) = traces_L(P). By construction, V £ G(P). 
Therefore, by induction hypothesis for P and t, s contains an event from V. D 

D 



Proposition 5.4, Let P{X,Yi, . . . ,Yn) = P{X,Y) be a CSP term whose free variables 



are contained within the set {X,Yi, . . . ,Yn}. Let Cx ■ CSP — > V(V{T,) x P(S)) be defined 



recursively on the structure of P as shown in Figure 8. If {U,V) G Cx(P); then for all 
processes Ti, Ts, ©i, . . . , 0„ G T^, dv{P(.Ti,0), P{T2, O)) < \du{Ti,T2). 

Proof. Structural induction on P. Let us take arbitrary Ti, r2, ©i, . . . , ©„ G T^ . 

• Cx(P)='P(S) X 'P(S) whenever X is not free in P. 

Proof. Let {U,V) G Cx(P). 

\du{Ti,T2) > = dv{P{Ti,e),P{T2,0)) = dv{P(0),P(0)). D 

• Cx{a^ P)=Cx{P) U {(^7, V) G Nx(P) I a G V}. 

Proof Suppose (U,V) G Cx{a — > P). By construction, {U,V) G Cx(P) or, 
{U,V) G Nx(P) and a^V. We consider both cases. 

- Suppose {U,V) G Cx(P). Then: 

\du{Ti,T2) >dv{P{Ti,0),P{T2,0)) // induction hypothesis 

>dvla — >P{Ti,0),a — > P{T2,e)) //Lemma 

- Suppose iU,V) G Nx(P) and a£V. 

ldu{Ti,T2) >ldv{P{Ti,O),P{T2,0)) / / {U,V) e Nx(P), 



4.4 



// Proposition 
dvia^PiTi,0),a^PiT2,0)) //aeV 



5.2 



D 



. Cx(Pi e P2)=Cx(Pi) n Cx(P2) = {{Ui n U2,Vi u V2) \ {Ui,Vi) g Cx{P^)} for 

eG{n,n,||}. 

A 

Proof Suppose {U,V) G Cx(Pi ® P2)- By construction, there exist {Ui,Vi) G 
Cx(Pi) and (C/2, V2) G Cx(P2), such that U = UinU2 and V = ViU V2. Therefore, 
{U,V) G Cx(Pi), iU,V) G Cx(P2) (antitoneness). Then: 

dviiPi e P2Kri,0), (Pi e P2)(T2,0)) 

= dy(Pi(ri,0)eP2(ri,0),Pi(r2,0)eP2(r2,0)) 

// ultrametric inequaUty 
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<max{ dviPiiTi,0)eP2{Ti,0),Pi{T2,O)®P2iTi,0)), 

dv{Pi{T2,0)(BP2{Ti,e),Pi{T2,0)(BP2{T2,0))} 

11 Lemma |4.3| 



< mox{ dy(Pi(ri, 0), Pi(r2, ©)) // < i(i{/(Ti,r2), induction hypothesis for Pi 
dy(P2(ri,0),P2(r2,0))} // < |d[/(ri,r2), induction hypothesis for P2 
<\dv{T^,T2) D 

Cx(Pi 5 P2)=Cx(Pi) n (Cx(P2) U {([/, y) e Nx(P2) I V G G(Pi)}. 

Proo/. Suppose (JJ,V) £ Cx{Pi 9 P2)- By construction, {U,V) G Cx(Pi , P2) yields 
2 possibihties: 

— {U,V) G Cx(Pi) n Cx(P2)- The proof is the same as the proof for n, □ and || . 

A 

- {U,V) e Cx(Pi) n {iU,V) G Nx(P2) I V G G(Pi)}. Again, using the ultramet- 
ric inequahty: 

dv{Pi{Ti,o) 5 P2(ri^0), Pi(r2, 0) 5 P2{T2^)) 

<max{ dy(Pi(ri,0)?P2(ri,0),Pi(r2,0)?P2(ri,0)), //Lemma 

dy(Pi(r2,0) 5 P2(ri^),Pi(r2,0) 5 P2(r2,0))} 

< max{ dv{Pi{Ti,O),Pi{T2,0)), // < ldu{Ti,T2), induc tion hypothesis 



4.3 



D.l 



1^ and 



4.7 



dy(P2(ri,©),P2(r2,0))} // < ldu{Ti,T2), Prop. 
<ldu{Ti,T2) 

D 
Cx{P \ A)={{U, V) I ([/, V) G Cx(P) A y n yl = A y c y}. 

Proof. Suppose {U,V) G Cx(P\^)- By construction, there exists V , such that 
([/, F') G Cx(P), F' C y and y n ^ = 0. 

^(ic/(ri,r2) > (iy/(P(ri,0),P(T2,0)) // induction hypothesis 



4.5 



> dv'iP{Ti,0) \ A, P(T2,_0) \ A) // y n A = 0, Lemma 

> dy(P(ri, 0) \ A, P{T2,0) \A) // V ^V,U^ du antitone 

D 

Cx{P[R])={iU,V) I iU,V') G Cx(P) A RiV) c F}. 

Proof. Suppose {U,V) G Cx(P[P])- By construction, there exists V , such that 

(U, V) G Cx(P) and R{V') C y. 

\du{Ti,T2) >dv'{P{Ti,O),P{T2,0)) // induction hypothesis 



4.6 



> d^(y,)(P(ri,0)[P],P(r2,0)[P]) // Lemma 

> dy(P(ri,0)[P],P(T2,0)[P]) // R{V') <^V,U^du antitone 

D 

Cx{X)=(/}. D 

CxifiY . P)={{U,V) I {U',V') G Cx{P) A {V',V') G Ny(P) A C/ C [/' A F' C y} 

if y /x 

Proo/. Suppose {U, V) G Cx(/i Y.P) for X ^ y and X, y free in P{X, y, Zi, . . . , Z„). 
Then, by construction, there exist U' , y' C S such that: 
(1) iU',V')GCx{P) 

(2) [/ c [/', y c y 

(3) (y',y')GNy(p) 



A STATIC ANALYSIS FRAMEWORK FOR LIVELOCK FREEDOM IN CSP 



39 



Since {U',V') € Cx{P), by induction hypothesis, for aU Ti,T2,£,,0 G T^ we have: 



^du'{Ti,T2) > dv'{PiT,,C,0),P{T2,^,&)) 



5.2 



Since {V',V') £ Ny(P), from Proposition 

dv'{Ti,T2) > dv'{P{tTi,O),P{^,T2,0)) 
Let Pi(y) = P{Ti,Y,e),P2{Y) = P{T2,Y,0). Then, (^y.P)(Ti,( 
n~o Pi and ifiY. P){T2, 9) = P| = (l^o ^2, where for i = 1, 2, i^o = 



k=o- 



p{Ti,pp,e) = Pi{pp). 



We will prove by induction that for n > 1: 

1 



(iv'(A",^2")<2^^'(^i'^2) 



(D.4) 

(D.5) 
i) = P* = 
± = DIV, 



(D.6) 



- n=l. 
1 

2 



^du'{Ti,T2) >dv'{P{Ti,DIV,e),P{T2,DIV,0)) // from (|D.4l) 



- Suppose dv" (^r> P5) < ¥u' (Ti , Ts)^ _ 

dyK^rS^s""-') =dy'(^m,Pf,0),P(T2,P2",0)) 

< max{dv'{P{Ti,P^,e),P{T2, P^,0)), 
dv'{P{T2,Pr,0),P{T2,P^,O))} 



II from ( D.4 ) 
// from (U3) 



// from (D.6) 



< max{\dui{Ti,T2), 

dv'{Pr,P^)} 

< 'max{^du'{Ti,T2), 

2du'{Ti,T2} 

< \du>{Ti,T2) 

Now suppose that (iy/(Pi*, P^) > \du'{Ti,T2) and let du'{Ti,T2) = 2'''. Let, 
without loss of generality, Pj* and P| differ on the sets of their divergences and let 
there exist s G divergences(Pj*) such that s ^ divergences(P|) and lengthy/(s) < k+l. 
Then, since P* = fl^o Pp^ ^^^^^^ exists / G N such that s ^ P\, but for ah n G N, 
s G Pf. But then dviP^Pi) > 2"('=+^) = ldu'{Ti,T2), which is a contradiction 



with ( p3^ . Therefore, dv'{Pi,P2) < \du'{Ti,T2). Then, since C/ C [/' and F' C y, 
by antitoneness, dv/((/ir . P)(Ti, 0), (//F . P)(T2, 0)) = dv{Pi,P2) < \du{Ti,T2). 

u 



Proposition 5.5, Let P{Xi, . . . ,X„) = P{X) he a CSP term whose free variables are 
contained within the set {Xi, . . . ,X„}. Let F : CSP — > T'{V{T,) x 'P(S)) be defined recur- 
sively on the structure of P as shown in \Figure~^ If {U, V) G F(P), then, for any collection 
of U-fair livelock-free processes 9i, . . . , 9n G T^ , the process P{9i, . . . , 0„) is livelock-free 
and V-fair. 

Proof. Structural induction on P. 

• f{STOP) = f{SKIP) = P(S) X P(S). 

Proof. STOP and SKIP are livelock-free and do not contain infinite traces. D 
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• F(a ^P) = F(P) 

Proof. Let {U,V) G F(a — > P), 6i,...,6n be a collection of livelock-free [/-fair 
processes. 

Since {U,V) G F(a — )■ P), by construction, (C/, F) € F(P). Therefore, by in- 
duction hypothesis, P{0) is livelock-free and IZ-fair. Therefore, a — > P(0) is 
livelock-free. 

We will prov e that a — > P{0) is V-iaix. Let u € traces'^ (a — > P{0)). Therefore, 



by Lemma 3.2 there exists u' E traces'^(i-'(6')), such that u = {a)'^u'. Since P{0) 
is y-fair, u' contains infinitely many events from V, and so does therefore u. Hence, 
a -^ P(0) is y-fair. D 

F(Pi e P2) = F(Pi) n F(P2) for {n, n} 

Proof. Let {U,V) G F(Pi © ^2)1 di,---,9n be a collection of livelock-free [/-fair 
processes. 

Since (C/, F) G F(Pi © P2), by construction, {U,V) G F(Pi) and ([/,!/) G F(P2). 
Therefore, by induction hypothesis, Pi{0) and -P2(0) are livelock-free and IZ-fair. 
Therefore, Pi(0) © -P2(0) is livelock-free. 



Let u G trace^^(Pi(6') © ^2(0)). Then, by Lemma |3.3| u G traces'^(Pi(6')) or 
u G traces'^ (P2(6'))- Let without loss of generality the former holds. Then, since 
^1(0) is y-fair, u contains infinitely many events from V. Therefore, Pi((9)©P2(6') 
is y-fair. D 

F(Pi 5 P2) = F(Pi) n F(P2) 

Proof. Let {U,V) G F(Pi , P2), 9i,...,9n be a collection of livelock-free [/-fair 
processes. 

Since {U,V) G F(Pi 5 P2), by constru_ction, (?7, V^ ^ F(Pi) and (C/,y) G F(P2). 
Therefore, by induction hypothesis, ^1(0) and ^2(0) are livelock-free and IZ-fair. 
Therefore, Pi(0) 9 ^2(0) is livelock-free. 



Let u G traces'^ (Pi (0) ? P2(0)). Then, by Lemma |3.4| u G traces'^ (Pi (0)) or 
u = ti^U2 with ti '"'(/) G traces(Pi(0)) n S*'^, ii2 G traces'^(P2(0)). 

— Suppose u G traces'^ (Pi (0)). Since Pi(0) is F-fair, u contains infinitely many 
events from V. 

- Suppose u = ti""u2 with ti'~~(/) G traces(Pi(0)) n S*^, n2 G traces'^(P2(0)). 
Since P2(0) is V-fair, U2 contains infinitely many events from V and so does 
therefore u. 

Therefore, Pi(0) ', P2(0) is V-ialr. D 

F(Pi II P2) = (F(Pi) n F(Pi)) U 

^ {{U^r\U2,Vi) I {Ui,Vi) G F(Pi) A {U2,A) G F(P2)} U 

{{Ui n C/2, V2) I {U2,V2) G F(P2) A {Ui,A) G F(Pi)} 

Proof. Let (f7, ^) G F(Pi || P2), 61,..., On be a collection of livelock-free [/-fair 

A 
processes. 

Since {U,V) G F(Pi || P2), by construction, F(Pi) ^ 0, F(P2) ^ and, by 

A_ _ _ _ 

induction hypothesis, Pi(0) and P2(0) are livelock-free. Therefore, Pi(0) II P2(0) 

A 
is livelock-free. 
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Let u e traces'^ (Pi (0) || ^2(0))- Therefore, by Lemma 3.7, there exist ui G 
_ A _ I 

traces°°(Pi(0)), U2 G traces'^ (P2(6')), such that u £ ui \\ U2 and, m G S"^ or 

A 
U2 G T,^ ■ Let without loss of generahty ui G S*^. By construction, we have three 

alternatives for {U, V). 

- Suppose {U,V) G F(Pi) n F(P2). By induction hypothesis, Pi{0) is F-fair. 
Therefore, ui contains infinitely many events from V and so does u. 

- Suppose {U,V) is (C/i n U2,V) with {Ui,V) G F(Pi), (f/2,^) G F(P2). Then 
U = Uir\U2^Ui and 9i, . . . ,9n are C/i-fair. Hence, by induction hypothesis, 
Pi{0) is y-fair. Then, ui contains infinitely many events from V and so does 
therefore u. 

- Suppose {U,V) is (C/i n C/2,y) with {U2,V) G F(P2), (f/i,.!) G F(Pi). Since 

U = Ui n U2, we have U '^ Ui, U (^ U2 and therefore, 9i, . . . ,9n are C/i-fair 

and C/2-fair. By induction hypothesis for Pi, ui contains infinitely many events 

from A. Since ui and M2 synchronise on the events in A, U2 contains infinitely 

many events from A. Therefore, U2 G TI^ and by induction hypothesis for P2, 

U2 contains infinitely many events from V . Hence, u contains infinitely many 

events from V . 

Therefore, Pi(0) || P2(0) is V-isXi. U 

A 

F(P \A) = {([/, V) I {U, V) G F(P) A y n A = A F' C F} 

Proof. Let ([/, V) G F(P \ A), 9i, . . . ,9n be a collection of livelock-free [/-fair pro- 
cesses. 

Since {U, V) G F(P \ A), by construction, there exists V' C V, such that V'dA = 
and ([/, y) G F(P). Therefore, by induction hypothesis, P{0) is livelock-free and 
y'-fair. Suppose P{0) \ j4 is not livelock-free. Therefore, since P{0) is livelock- 
free, there exists u G traces'^ (P) such that u \ [T\A) is finite. Since P{0) is y'-fair, 
u contains infinitely many events from V' . Since V f^ A = ^, u \ (T\A) contains 
infinitely events from V' , which is a contradiction with u \ [T\A) being finite. 
Therefore, P{0) \ ^ is livelock-free. 



Let u G traces'^(P(6)) \ A). Then, by Lemma|3.5| there exists u' G traces'^(P(6))), 
such that u = u' \ {T\A). Since P{0) is y'-fair, u' contains infinitely many events 
from V' . Since V' r\ A = ^, u = u' \ {T\A) contains infinitely many events from 
V C V . Therefore, u contains infinitely many events from V . Therefore, P{0) \ A 
is F-fair. D 

F(P[P]) = {{U,V) I {U,V') e F(P) A R{V') C V} 

Proof. Let {U,V) G F(P[P]), 9i,...,9n be a collection of livelock-free [/-fair pro- 
cesses. 

Since {U,V) G F(P[P]), by construction, there exists V , such that R{V') C V 
and {U,V') G F(P). Therefore, by induction hypothesis, P{0) is livelock-free and 
y'-fair. Hence, P{0)[R] is also livelock-free. 



Let u G traces'^ (P(6')[P]). Then, by Lemma |3.6[ there exists u' G traces'^(P(0)), 
such that u' R u. Since P{0) is y'-fair, u' contains infinitely many events from 
V' . Since u' R u, u contains infinitely many events from RiV') C V. Therefore, u 
contains infinitely many events from V. Hence, P(6')[P] is V-fair. Q 
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. f{X) = {{U,V)\U<ZV} 

Proof. Let {U,V) G F(X), be a livelock-free f7-fair process. ^{0) = 9 is then 
livelock-free and, since C/ C y, X{9) = ^ is V-fair. D 

f( ^ p.^ f {{U,V)\{W,W)eCx{P)nf{P) AU QW QV} if/iX.Pisopen 
• l-(^A.^j-| r[^)x{V\{W,W)eCx{P)nf{P) AW CV} otherwise 

Proof. Let P{X, Yi, . . . , Yn) be a CSP term whose free variable are contained within 
theset {X,yi,...,y„}. Let {U,V) E F(/xX.P) and (^X.P) be open. Let9i,...,9n 
be a collection of livelock-free [/-fair processes. 

Since (C/, y) G F(;uX.P), by construction, there exists W, such that [/ C VF C y 
and {W,W) £ Cx(-P) n F(P). Therefore 9i,. . . ,9n are VF-fair and, by induction 
hypothesis: 

P(^, 0) is livelock-free and VF-fair for any livelock-free VF-fair process ^. (D.7) 



Since (W^, I^) G Cx(-P), by Proposition D.l (2|, P{X, O) is contractive in X with 



respect to the metric dw- Therefore, from Banach's fixed point theorem, P{X,0) 
has a unique fixed point {fiX . P)(9) = U^=o ^" = ^*' where po = T = ^TOP, 

We will prove by induction that for each n G N, P" is livelock-free and T^-fair. 
— n = 0. STOP is livelock-free and does not contain infinite traces. 



- Suppose that P" is hvelock-free and VF-fair. From ( |D.7| ), P"+^ = P{P'',0) is 
also livelock-free and M^-fair. 



Therefore, for each n G N, P" is livelock-free. Then, since by Proposition B.3 the 
set of livelock-free processes is closed, {^X . P){9) = UJi^o -^" ~ ^* ^^ livelock-free. 

Now, let u G traces'^((/xX . P){0)). Then, for each finite prefix t of n, i G 
traces(P*), i.e., there exists some sufficiently large rit, such that t G traces(P"*). 

If there exists m G N such that for each prefix t of u, t G traces(P'"), then 
u G traces'^ (P*"). In this case, since P"^ is W^-fair, u contains infinitely many events 
from W. Then, since W '^V, u contains infinitely many events from V. 

Otherwise, we can conclude the following: 

for each tti G N, there exists a prefix t of u, such that t traces(P'"). (D.8) 

Let e = 2~ for some /c G N. Since the sequence (P* | z G N) converges to P* 
with respect to the metric dw, there exists n^ G N, such that for each n > n, 



ei 



dw{P* 1 P") < £■ From our assumption (D.8), for n^ there exists t^, such that t^ is a 



prefix of u and te traces(P"=). Then, since dH/(P*,P""') < e and te G traces(P*), 
lengthyj/te > k. Since k was arbitrary, we can conclude that u contains infinitely 
many events from W . Then again, since W (^V, u contains infinitely many events 
from V. Therefore, {^X . P){9) is T^-fair. D 

D 
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Appendix E. Proofs for Section [6] 



Proposition 6.1, Let P be a structurally finite state process. Let $ : SFS — > V{V{T,) x 



V{T,)) and 6 : SFS — > {true, false} be defined recursively on the structure of P as shown 



in Figures [70| and 11. respectively. Then, if 6{P) = false, P is livelock-free. Moreover, if in 
addition ^{P) = {{Fi,Ci), . . . ,{Fk,Ck)}, then, for each infinite trace u of P, there exists 
1 < i < k, such that u is fair in Fi and u is co-fair in d. 



Proof. Induction on the structure of the SFS process P. 

Note that by construction, all fair/co-fair pairs of sets thus generated remain disjoint, 
i.e., for each {F, C) G ^(-P), FdC = 0. This is key in the rule for parallel composition, where 
the fair/co-fair data of individual sub-components enables one to rule out certain pairs for 
the resulting parallel process. We prove this property only for the case of renaming as for all 
other cases it follows trivially from the induction hypothesis and the specific construction. 

Let us also remark that it might be the case that d{P) = false and $(P) = and 
this indicates that P is livelock free but exhibits only finite traces. We note, however, 
that if 6{P) = false and $(P) / 0, then for every (F, C) G $(P), F / 0. This is true 
for sequential SFS processes by construction and follows for compound SFS processes by 
induction hypothesis and construction. We prove the property only for the cases of hiding 
and renaming where the argument is more subtle. 

• For P being a closed sequential process, $(P) and S{P) are computed directly from 



the labelled transition system associated with P as described in Section 6 
6{a — > P) = 5{P) and $(a — > P) = ^{P). 

Proof. Let S{a — > P) = false. By construction, 6{P) = false and, therefore, by in- 
duction hypothesis, P is livelock-free. Hence, by definition, a — > P is also livelock- 
free. 



Let u G traces'^(a — > P). Then, by Lemma 3.2, there exists u' G traces'^(P), 
such that u = {a)'^u'. By induction hypothesis for P, there exists {F,C) G ^{P), 
such that u' is fair in F and co-fair in C. But then u is also fair in F and co-fair in 
C and, by construction, {F, C) G <l>(a — y P). D 

S{P^ e P2) = S{Pi) V 6{P2) and $(Pi P2) = ^(^i) U ^(Ps) if G {n, □}. 

Proof. Let 6{Pi ® P2) = false. By construction, 6{Pi) = false and 5{P2) = false. 
Therefore, by induction hypothesis. Pi and P2 are livelock-free. Hence, by definition. 
Pi © P2 is hvelock-free. 



Let u G traces'^(Pi © P2). By Lemma 3.3, n G traces'^(Pi) or n G traces'^(P2). 



Let without loss of generality the former holds. Then, by induction hypothesis for 
Pi, there exists {F,C) G <l>(Pi), such that u is fair in F and co-fair in C. By 
construction, $(Pi) C $(Pi ® P2) and, therefore, (P, C) G $(Pi © P2). D 

5{Pi 5 P2) = 5{Pi) V 6{P2) and $(Pi ^ P2) = $(Pi) U $(P2). 

Proof. Let 6{Pi 9 P2) = false. By construction, S{Pi) = false and S{P2) = false. 
Therefore, by induction hypothesis. Pi and P2 are livelock-free. Hence, by definition. 
Pi 9 P2 is livelock-free. 



Let u G traces'^ (Pi , P2). By Lemma 3.4, u G traces'^ (Pi) or u = t^u' with 
i^(/) G traces(Pi) n S*^, u' G traces'^ (P2). We consider both alternatives. 
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- If u G traces'^ (Pi), by induction hypothesis for Pi, there exists (P, C) G *^(Pi), 
such that u is fair in P and co-fair in C. By construction, ^{Pi) ^ <&(Pi ® P2) 
and, therefore, (P, C) E $(Pi ® P2). 

- Let M = f'^it' where t^(/) G traces(Pi) fl S*^ and -u' G traces'^(P2). By 
induction hypothesis for P2, there exists (P, C) G <I>(P2), such that u' is fair in P 
and co-fair in C. The finite prefix t of u does not affect fairness and co-fairness. 
Therefore, u = f^^u' is fair in P and co-fair in C and (P, C) G $(Pi ® P2) by 
construction. 

n 

, \jr._[ false if 5{P) = false and, for each (P, C7) G $(P), P - A ^ 
^ ^ '^ 1 true otherwise 
and $(P \ ^) = {(P - ^, C U A) I (P, C7) G $(P)}. 

Proof. Let 5(P \ A) = false. By construction, 6{P) = false and for each (P, C) G 
<I>(P), P — ^ 7^ 0. Since (5(P) = false, by induction hypothesis, P is livelock-free. 
Suppose for the sake of the argument that P \ A can diverge. Since P is livelock- 
free, by definition, the only alternative is that there exists u G traces'^ (P), such 
that u \ {T\A) is finite. By induction hypothesis for P, there exists {F,C) G ^(P), 
such that u is fair in P and co-fair in C. By construction, since 6{P \ A) = false, 
F—A 7^ 0. Therefore, there exists b G F such that b ^ A and b occurs infinitely many 
times in u. But then b should also occur infinitely many times in u \ (T,\A), which 
is a contradiction with u \ {T,\A) being finite. Therefore, P \ j4 is livelock-free. 



• 



Now, let u G traces'^(P \ A). Since P \ j4 is livelock-free, by Lemma 3.5, there 
exists V G traces'^ (P) such that u = v \ {'S\A). By induction hypothesis for P, 
there exists {F,C) G $(P) such that v is fair in P and co-fair in C. Then, since u 
is obtained by deleting all 74-events from v, u is fair in P — j4 and co-fair in C L) A. 
Both P - A / and [F - A,CLI A) e ^{P\ A) are guaranteed by construction. 

Let 6{P \A) = false and let (P, C) G $(P \ A). We now prove that P / 0. Since 
5{P \ A) = false, by construction we have the following: 

for each (P', C) G ^{P),F' - A^$. (E.l) 

As (P, C) G $(P \ A), by construction P = F'-A for some F' with (P', C") G $(P). 



By plj ), P' - ^ / and hence P / 0. D 

5(P[/?]) = 5(P) and 

^[P[R]) = {{F,C) I (P',C') G $(P) A P' C P-I(P) A P C P(P') A 

C = {6g S| p-i(6) CC'}} 

Proof. In the proof we use the following notation. For any ^ C S, a, 6 G S, R{A) = 
{b\ 3 a G vl . a P 6} and R^^{b) = {a\ a Rb}. Let us also clarify that in the setting 
of CSP |21j renaming relations are assumed to be total. If an event a G S is not 
renamed to any other event 6 G S, it is assumed that a is renamed to itself and, 
hence, R{{a}) / 0. 

Let 5{P[R]) = false. By construction, 5{P) = false. Then, by induction hypoth- 
esis, P is livelock-free and, hence, by definition, so is P[P]. 



Let u G traces'^ (P[P]). By Lemma 3.6, there exists v G traces'^(P), such that 



V Ru, i.e., for every i G N, v{i) R u{i). By induction hypothesis for P, there exists 
(P', C") G ^{P), such that v is fair in P' and co-fair in C". 
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Let C = {6 G S I R^^{b) C C'} and let b ^ C. By construction, for each 
a € R^^{b), a ^ C and, therefore, v is co-fair in a. Now suppose for the sake of 
contradiction that u contains infinitely many occurrences of b. By definition, there 
exists a G S, such that a R b and a occurs infinitely many times in v. Therefore, 
a ^ C and R^^{b) ^ C", which is a contradiction with R^^{b) C C' . Therefore, u 
contains only finitely many 6's and, more generally, u is co-fair in C. 

We will construct F from F' such that F C R{F') (which will bound F from 
above), F' C R~^(^F) (which will bound F from below and will guarantee F ^ $) 
and u is fair in F. Then (F, C) G <l>(P[i?]) by construction. 

By induction hypothesis, F' / 0. Let F' = {ai, . . . , am} and for each 1 < i < m, 
-R({ai}) = {^iii • • • ) ^inl- ■'^s each Oj occurs infinitely many times in v and v R u, 
for each 1 < i < m, there exists 6j. , such that Oj i? 6j. and 6^. occurs infinitely many 
times in u. We define F = {6j^, . . . , 6^^}. Since F' 7^ 0, F 7^ 0. By the construction 
of F, u is fair in F and F C R(F'). As by construction for each ai £ F' there 
exists bj- G F with Oj R bj., then for every 1 < i < m, ai £ R~^{bj-). Therefore, 
F' C R-^{F). 

We will also prove that for any F that satisfies F C R{F') and F' C R~^{F), 
the sets F and C are disjoint. Suppose there exists 6 G S such that b £ F (1 C. 
As b G C, by construction, for each a with a R b, we have a £ C . Since b € F 
and by construction F C R(F'), there exists a £ F' , such that a R b. Therefore, 
a G C" n F'. This is a contradiction with the induction hypothesis according to 
which F' and C are disjoint. Therefore, F n C = 0. D 

5iPi II P2) = '^(Fi)v5(P2)and 

A 
$(Fi II P2) = {(F, C) I F n C = A (F„ Ci) G $(F0 for i = 1, 2 A F = Fi U F2 A 

A 

c = (Ci n A) u (C2 n ^) u ((Ci - A) n (C2 - ^))} u 

{(F, C) I (F, C) G $(Fi) A F n ^ = 0} U 
{(F, C) I (F, C) G $(P2) A F n ^ = 0} 

Proof. Let (^(Fi || F2) = false. By construction, 6{Pi) = false and S{P2) = false. 

Therefore, by induction hypothesis. Pi and F2 are livelock-free. Hence, by definition, 

Pi II F2 is livelock-free. 

A 

Let u G traces'^ (Fi || F2). From Lemma 

A 



3.7, there exist ui G traces'^ (Fi) and 



U2 G traces°°(F2), such that u E ui \\ U2 and, ui G S*^ or U2 G S'^. We will consider 

A 
three different cases. 

^ Let ui G S"^ and U2 G S* . By induction hypothesis for Pi, there exists 

(F, C) G <l>(Fi) such that ui is fair in F and co-fair in C. Suppose F n ^4 7^ 0. 

Then, ui contains infinitely many occurrences of events from A. Since Pi and 

F2 synchronise on the events in A, U2 must also contain infinitely many events 

from A, which is a contradiction with U2 G S* . Therefore, F n ^ = and, by 

construction, {F,C) G $(Fi || F2). Now, since M2 is finite and does not affect 

A 
fairness and co-fairness, u is fair in F and co-fair in C. 

— The case where U2 G T,'^ and ui G S* is handled in the same way. 
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Let ui S T,^ and U2 G T,^ ■ By induction hypothesis for Pi and P21 there exist 
(Fi,Ci) e <I>(-Pi) and (^2,^2) e <J>(-P2), such that m is fair in Fi and co-fair 
in Ci and U2 is fair in F2 and co-fair in C2. We note, that for each a £ A, 
the number of occurrences of o in ui, U2 and u is the same due to Pi and P2 
synchronising on a. Therefore, for each a £ A, ui contains infinitely many 
occurrences of a if and only if U2 contains infinitely many occurrences of a. 
Hence, Fi n C2 D A = $ and F2 D Ci D A = 9. 

Let F = Fi U F2 and C7 = (d n ^) U (C2 n A) U {{Ci - A) D (C2 - A)). 
We will first prove that F DC = 0. Suppose for the sake of the argument that 
there exists 6 G S such that b £ FCiC. Since b £ F, hy construction, 6 G Fi or 
b £ F2. Let without loss of generality b £ Fi. We will consider the cases b £ A 
and b ^ A. 

* Suppose b £ A. Since b £ Fi, ui is fair in b and, therefore, b ^ Ci. Since 
b £ C and b £ A, b £ Ci n A OT b £ C2 n A. As b ^ Ci, b £ C2 n A. 
Therefore, b £ Fi Ci C2 which is a contradiction with Fi D C2 D A = i/j. 
Therefore, this case is not possible. 

* Suppose b ^ A. Since b £ C, b £ Ci and b £ C2. Therefore, b £ FiOCi 
which is a contradiction with the induction hypothesis by which Fi and 
Ci are disjoint. Therefore, this case is not possible either. 

Therefore, F n C = 0. 

Now, for any event 6 G S, if 6 G Fi or 5 G F2, i.e., b has infinitely many 

occurrences in ui or U2, then b has infinitely many occurrences in u £ ui \\ U2 

A 
as well. Therefore, u is fair in Fi U F2. 

Let for some a G A, a G Ci or a G C2 and let without loss of generality the 

former holds. Then, a occurs only finitely many times in ui and, since Fi and 

F2 synchronise on a, a occurs only finitely many times in U2 and u as well. 

Therefore, u is co-fair in a and, more generally, in (Ci riA)D {C2 H A). Now let 

b £ {Ci\A) n {C2\A). Therefore, b ^ A, b £ Ci and b £ C2. Therefore, since 

b occurs only finitely often in both ui and U2, b occurs only finitely often in u 

as well. Therefore, u is also co-fair in {Ci\A) D {C2\A). Hence, u is co-fair in 

(Ci n ^) u (C2 n A) u {{Ci\A) n iC2\A)) and (Fi u F2, (Ci n ^) u {C2 nA)u 

{{Ci\A) n {C2\A)) £ $(Fi II F2) by construction. 

A 

D 
D 



Proposition 6.2, For any structurally finite-state process P, if F(F) / then 6{P) 
false. 



Proof. (Sketch.) One shows by structural induction on the SFS process P the stronger 
statement that if F(F) 7^ then (i) 6{P) = false, and (ii) for any {U,V) £ F(F) and any 
(F, C) £ $(F), it is the case that F n F / 0. 

All cases are relatively straightforward. Note that, since P £ SFS, recursion does not 
need to be handled, as it falls within the 'sequential SFS' case. It is worth pointing out that, 
in carrying out the inductive proof, it turns out that it is never necessary to take account 
of any information regarding either U or C; they can be ignored entirely. D 
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Appendix F. Case Study: an Abstracted Version of the Alternating Bit 

Protocol 

In this section, we briefly describe an abstracted version of a network communication proto- 
col called the Alternating Bit Protocol. We use the abstracted version only to illustrate our 



concepts. For the experimental evaluation in Section 7 we use a modelling of the authentic 
protocol, the script for which can be found on the website associated with 



The process Send (see Figures 12 and 13) attempts to send messages to itself infinitely 
often. Those messages, however, have to go through an unreliable network Medium, which 
may do an arbitrary (possibly infinite) number of error events before delivering the message 
back to Send in the form of an out event. We impose a fairness constraint Fair on Medium, 
forcing it to do at most a single error before delivering the message correctly, i.e., we require 
that every error event be immediately followed by an out event. We construct the system 
by putting the mutually-recursive processes Send and Medium in parallel with the process 
Fair, synchronising on the set of their shared events {error, out} and hiding the error event 
at the top. The resulting process System is livelock-free and is, in fact, equivalent to the 
process Bi = in — > out — > Bi, which implements a single-slot buffer. 



Send = in — > Medium 

Medium = out — > Send □ error — > Medium 



Fair = out — > Fair □ error — 
Network = Send \\ Fair 

{error , out} 

System = Network \ {error} 



out 



Fair 



Figure 12: ABP: an abstracted version. 



Send 



Fair 



out 




out 



{error , out} 




\ {error} 



out 



Figure 13: Abstracted ABP: transition systems. 



Using the systems of rules presented in [Section 5| we calculate the sets of fair sets of 
Send, Fair, Network and System as follows (where the operator f denotes upper closure 
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on V{V{T,)) and S = {in, out, error}): 

f{Send) = t {{i'n, error}, {out, error}} 

F(Fair) ='[ {{out}} 

f (Network) = '[ {{out}, {out, error}, {in, error}} 

f (System) = ■[ {{out}} 

Therefore, System is livelock-free and any infinite trace of System contains infinitely many 
occurrences of the event out. 

An interesting weakness of the general framework is that it fails to establish the fact 
that System is also {m}-fair. Indeed, since System is equivalent to the process Bi = in — > 
out — > Bi, any infinite trace of System should also contain infinitely many occurrences 
of in. Therefore, the process Network \ {error, out}, which is equivalent to the process 
IN = in — > IN, is livelock-free and {m}-fair. However, f (Network \ {error, out}) = 
(thanks to the F rule for hiding) and therefore the general framework would mark Network \ 
{error, out} as potentially divergent. 

Let us now illustrate the precision of the system of rules for SFS processes by trying 
to establish that the process System = Network \ {error, out} = (Send \\ Fair) \ 

{error, out} 

{error, out} is livelock-free. 



The processes Send and Fair depicted in Figure 13 are both sequential SFS processes 



for those we apply the algorithms described in Section 6.1 to conclude that 6(Send) = 
6(Fair) = false and, regarding the set of fair/co-fair pairs, 

^(Send) = { ({in, out}, {error}), ({error}, {in, out}), ({error, in, out}, 0) }, 

^(Fair) = { ({out}, {in, error}), ({error, out}, {in}) }. 

Now let us consider the process Network = Send \\ Fair. 

{error, out} 

Since both Send and Fair are livelock-free, there is no way of having a divergence in 
Network, which is confirmed by the rule 6(Network) = 6(Send) V 5(Fair) = false. 

Let us now have a look at the $ rule for parallel composition. Since each of the fair/co- 
fair pairs (F, C) of Send and Fair have non-empty intersection with the synchronisation set 
A = {error, out} of the parallel composition, we conclude that: 

(1) We can only use the first set-comprehension clause for assembling the fair/co-fair 
pairs of Medium. 

(2) Both Send and Fair contribute infinite traces in any infinite trace u of Network, 

i.e., u = ui II U2, where ui in traces^(Send) and U2 S traces'^ (Fair). 
A 

Intuitively, every infinite trace of Fair, and in particular U2, contains infinitely many 
occurrences of out. Since Send and Fair synchronise on out, ui also contains infinitely 
many occurrences of out. But in ui, out occurs infinitely often precisely whenever in occurs 
infinitely often. Therefore, ui, and hence also u, both contain infinitely many occurrences 
of in. Therefore u is fair in in. 

Formally, since both ui and U2 are infinite, we need to consider every pair ((Fi,Ci), 
(^2,6*2)) in the Cartesian product of ^(Send) and ^(Fair), decide whether to discard it 
and, if not, figure out how to merge appropriately the pair of pairs into a single pair (F, C). 

One of the crucial observations is the following. For a £ A = {error, out}, the number 
of occurrences of a in ui, U2 and u is the same. Therefore we can discard all those pairs 
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((Fi, Ci), (F2, C2)) such that there is a G A with a G Fi n C2 or a G Ci fl F2. This leaves us 
with only two pairs: 

(1) {{{in, out}, {error}), {{out}, {in, error})), and 

(2) {{{error, in, out}, 0), {{error, out}, {in})). 

The important question now is what do we do with the event in which does not belong 
to the synchronisation set A. The reasoning we apply is that u is fair in in if at least one of 
ui and U2 is fair in in, and u is co-fair in in if both ui and U2 are co-fair in in. Then from 
the first pair we obtain {F,C) = {{in, out} , {error}) and from the second pair we obtain 
{F,C) = {{error, in, out,},^). Hence we obtain the following final result for ^{Network), 
which confirms that every infinite trace of Network contains infinitely many occurrences of 
in: 

^{Network) = { {{in, out}, {error}), {{error, in, out}, 0) } 

Now the only thing that remains is to handle the hiding operator, i.e., analyse System = 
Network \ {error, out}. Since for all {F,C) £ ^{Network), F — {error, out} 7^ 0, 5{System) 
= false, i.e., we establish, as required, that System is livelock-free. As a nice consequence 
^{System) = {{{in}, {error, out})} asserts that every infinite trace of u contains infinitely 
many occurrences of in and only finitely many occurrences of out and error. 
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Appendix G. Symbolic Encoding 

In this section we focus on the details regarding the symbohc part of our frameworks and 
algorithms. 

In general, because we need to encode sets of sets of events, we use one-hot Boolean 
encoding [TI], i.e., for each a G E"^ we employ a Boolean variable which is also written a. 
The Boolean formula a then encodes all sets of events {A C S"^ | a G A}. For the SFS 
framework we use a single vector y of | S"^ | Boolean variables, whereas for the general 



framework — the one described in Section 5 — we employ two copies: one vector x for mod- 



elling the U component and another y for modelling the V component (see Propositions 



5.2, 5.4 and 5.5). In addition, we use auxiliary copies of variables for constructing more 
complex expressions using quantifiers and substitution. For those we use primed versions 
of X and y. 

It is important to note that SAT techniques enable us to find a single fair set or fair/co- 
fair pair of sets for a process. An advantage of this approach is the efficiency of modern SAT 
solvers. However, we need to introduce fresh vectors of variables for each instance of (even 
the same) subprocess. This is required because it might be necessary to generate different 
fair or fair/co-fair sets for a given term, depending on the context in which it appears. 

Using BDDs j3| enables us to find all possible fair or fair/co-fair sets that the system 
of rules is capable of detecting. Hence we do not need to duplicate subprocess encodings, 
but we need to take care of variable orderings which can dramatically infiuence the size 
of the resulting BDD. We use a variable ordering similar to the ones proposed in [Uj and 
adopted by the probabilistic model checker PRISM [S] [T2] . BDDs generally generate more 
compact representations than SAT encodings due to their canonicity and capacity to capture 
regularities. 



G.l. The SFS Framework. 



G.1.1. Computing Fair/Co-Fair Sets for Sequential SFS Processes. Let P be a sequential 
SFS process and let us suppose that we have already established that 5{P) = false, i.e., that 



P is livelock-free. As described in [Section 6.1 we then generate a collection of fair/co-fair 



pairs of disjoint sets $(P) = {(Fi,Ci), . . . , {Fk,Ck)} Q V{T.) x P(S) such that for every 
l<i<k, 

{Fi, d) G <1>(P) < — > 3u£ traces'^(P) . u is fair in Fi and co-fair in Q. (G.l) 

The computation of $(-P) is carried out directly on the labelled transition system Mp 
associated with P (in which unreachable states have been excised). Let us fix Mp = 
{S, init, Sp, — >) and let us suppose that P is a subcomponent of a system with alphabet 
S. 

For a particular non-empty L C Sp, deciding whether or not to include (L, T, — L) 
in ^{P) (lines 3-4, Algorithm [l]) can be carried out in PTIME. More specifically, after 
obtaining Gl, we can check whether there exists s £ S such that for every a £ L, there 
exists a transition src — > dest, such that there are paths from s to src and from dest back 



to s, as illustrated in Figure 14 for L = {in, out, error}. Note that such paths necessarily 
consist entirely of events in L U {r}. 

In fact, we can encode this symbolically for all possible subsets of Sp via the following 
Boolean formula: 
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Algorithm 1 Computing ^{P) 



1: $(P) = 

2: for every non-empty set L C Sp do 

3: construct a labelled graph Gl from P's LTS (having pruned unreachable states) 

by deleting all (S — -L)-labelled transitions 

4: if Gl contains an SCC which comprises every event in L then 

5: include (L, S - L) in $(P) 

6: end if 

7: end for 

8: return ^{P) 




error 

out 



Figure 14: Calculating fair/co-fair sets for sequential SFS processes. 



MaxSCC=\/i A [^" ^ V (Path(s, src) A Path(desi,s))]|, (G.2) 

sGS aeY;p src-^dest 

where: 

(1) For all s,t £ S, Path(s,t) encodes all symbolic traces over Sp from s to t of length 
at most IS" I, i.e., all symbolic traces of length at most the longest simple path 
in Mp. In order to compute Path(s,t) for all s,t £ S simultaneously, we extend 
standard algorithms for computing the transitive closure of the adjacency matrix 
of the transition relation of Mp, such as Floyd- Warshall, iterative squaring, or 
successive adjacency- matrix multiplications. Since the order of events on those 
traces is irrelevant to fairness and co- fairness, we do not employ symbolic state 
variables and use just a single copy of event variables to carry out the computation, 



as illustrated in Figure 15 We note that in those algorithms we do not check 
whether we reach a fixed point in the computation. As a consequence, if using a 
SAT encoding, the resulting formulas may contain redundancies. 



(2) The Boolean formula (G.2) contains an implicit iterator over all possible subsets L 
of Sp U {r}. In order to exclude the options of L = and L = {r}, we conjoin the 
formula with the restriction Vaes ^• 

(3) We need to also declare all infinite traces of P as co-fair in S — Sp. To do so, we 
add another Boolean conjunct Aae(S-s ) ~'^- 
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error 




Path 



01^ J 1 

out 

{in A out) 
(out) V (error A out) 



false in 
out error 

(in) V {in A error) 
[error) V (oui A in) V (error A error) 



Figure 15: A symbolic representation of the adjacency matrix and the path matrix of the 
process Send. The path matrix is computed using successive matrix multiplica- 
tions. 



The Boolean encoding of ^(P) is then as follows: 
HP) = (\J a) A( /\ 



na) A MaxSCC. 



(G.3) 



aeSj 



ae(T.-T,p) 



The Key: PTIME Algorithms and Circuits. As stated earlier, given a process P and 
a non-empty set of events L C Sp, deciding whether or not to include (L, S — L) in $(-P) can 
be carried out in PTIME. Therefore, for the particular P and L, there exists a polynomial- 
size variable-free Boolean circuit that outputs true if and only if the pair (L, S — L) is a 
fair/co-fair pair for I\_\ 

Let us fix P and let us observe, moreover, that the construction of the variable-free 



circuit does not depend on the particular choice of L (see (G.2) and (G.3)). Therefore, we 



can leave the Sp input gates of the circuit as Boolean variables [TSj . What we obtain is 
a compact circuit of size polynomial in the syntax of P that encodes the computation of 
$(P) once and for all possible inputs, i.e., for all exponentially many subsets of Sp. We 
remark that the size of the circuit is polynomial in the size of P's LTS, which in turn is 
polynomial in P's syntactic description, since we are dealing with sequential SFS processes. 
Since the circuit is of polynomial size, it can be turned into a polynomial-size (equi- 
satisfiable) Boolean formula using, e.g., Tseitin's encoding [27j. The circuit can be also 
turned into a BDD, in which case the size of the BDD could potentially blow up; however 
this is usually not the case in practice. Consequently, the Boolean formula or the BDD 
encoding of <&(P) can be plugged into our compositional rules and be queried on demand 
when necessary, which fits very nicely into our symbolic framework. 

G.1.2. Encoding Compositional Rules. The encoding of the rules for computing the livelock 
flag 5(P) and the collections of fair/co-fair pairs ^(P) of a compound SFS process P (see 



Figures 18 and 19 for BDDs. 



Theorem 6.1) are given in Figures 16 and 17 for Boolean formulas (i.e., for SAT) and in 



15. 



This follows from the PTlME-hardness of CIRCUIT value. 



A STATIC ANALYSIS FRAMEWORK FOR LIVELOCK FREEDOM IN CSP 



53 



^a^P){y) = 


= HP){y) 


HPi®P2){y) = 

HPi\\P2){y)'- 

A 


= HPi){y) A HP2){y") A [ l\ a{y) o a{y') V /\ a{y) o a{y")\ if G {n,n,5} 

= ci>(Pi)(y') A <l>(P2)(y")A 




[{l\My') A /\ a(y) f^ a(y')} V 

aeA aGS 




{\My") A A«(y)^«(/)}v 




{ l\ a{y) o (a(y') V a{y")) A /\ -a(y) o (-a(y') V -a(y")) 




A /\ ^a(y)oha(y')A^a(y"))}] 

aeS\A 


^{P\A){y)'^ 


= $(P)(y')A /\ a(y) f^ a(y') A /\ -a(y) 

a6i;\A a6A 


HP[R]){v) = 


= ^{P){y') A /\ [a(y') ^ ( \/ 6(y))] A /\ [( /\ ^c(y')) ^ -^(y)] 

aeS aflfe fees cBh 



Figure 16: SAT encoding of ^{P). 



5{P\A) = 5{P) V (^^[$(P)(y)^( \l h{y))] is sat) 



6eS\yl 



Figure 17: SAT encoding of 5(P). 



G.2. The General Framework. The BDD and SAT encodings of the rules for computing 



the nonexpansive, guard, contractive, and fair sets of CSP terms (see Theorems 5.2, 5.3 



5.4, and 5.5) are formaUsed similarly to the ones for the structurally finite-state processes. 



We illustrate the scheme and the use of two vectors of event variables by providing the BDD 



encoding of the rules for computing nonexpansive sets in Figure 20 



In the encoding, the vectors of Boolean variables x and y model, respectively, the U and 

V components of the pairs of sets of events. To understand the meaning of the encoding 
operators UCIosure, DCIosure, and UDCIosure, suppose the formula ip{x,y) encodes the set 
of pairs of sets of events A = {{U,V) | ... } and the formula ip{y) encodes the set of 
sets of events B = {V \ ... }. Then the formulas UCIosure(^)(j;, y), UDCIosure(A)(x,y), 
UCIosure(S)(i/), and DCIosure(B)(y) encode, respectively, the sets {{U,V) \ {U,V') e A A 

V c y}, {{U,V) I {U\V') G ^ A [/ c [/' A y c y}, {y I y G B A y c y} and 
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$(a -^ P){y) = 


HP){y) 


HPi®P2){y) = 


HPiKy) A HP2){y) ifeG{n,n,0 


HPi\\P2){y) = 

A 


3y'3y".^Pi){y') A <l>(P2)(y") A 


-r± 


[{/\My') A /\aiy)^aiy')}V 




aeA aGS 




{/\My") A /\a{y)^a{y")}\/ 




a<=A aeS 




{ /\ a{y) o (a(y') V a(/)) A /\ -a(y) o (-a(y') V My")) 




aeS aeA 




A /\ -a(y)o(-a(yOA-a(y'0)}] 




aes\yl 


<^{P\A){y) = 


;3?/A.^(P)(y)] A /\My) 




aeA 


HP[R]){y) = 


3y'.^P){y') A /\ [a(yO ^ ( V %))] ^ A [( A ^^^ )) ^ -%)] 




aeE aiJb 6eS cRb 



Figure 18: BDD encoding of $(P). 




Figure 19: BDD encoding of 6{P). 

{V\V' €B AV ^ V'}: 

UCIosure(A)(x, y) = 3y' . ip{x, y) A /\(y- -^ yi) 

i 

mC\05uve{A){x,y) = 3x'y' . ^{x' , y') A /\{xi ^ x'^ A /\{y', 

i i 

UC\osure{B){y) = 3y'. ij{y') A l\{y[ ^ y,) 

i 

DC\osure{B){y) = 3y' . ij{y') A /\{y, ^ y^ 
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^x{P){x,y) = true whenever X is not free in P; otherwise: 

Nx{a^P){x,y) = Mx{P){x,y) 

NxiPieP2)ix,y) = NxiPi)ix,y) A Nx{P2)ix,y) if © G {n, □, ^, ||} 

A 
Nx(P \ A){x,y) = UCIosure(Nx(P)(x,y) A x{{V | F C S - A}){y)) 

= UCIosure(Nx(P)(x,y) A DCIosure(S - A)(t/)) 

Nx(P[i?])(x,y) = UCIosure(3y'.Nx(P)(x,2/0 A p{y',y)) 

Nx{X){x,y) = /\{x^^y^) 

i 

Nx(^y.P)(x,y) = UDCIosure(Nx(P)(x,y) A 3x' . (Ny(P)(x', y) A f\{x', ^ y^))) if Y / X 



Figure 20: BDD encoding of Nx(-P). 



